You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-users@xerces.apache.org by liangsheng <ha...@hotmail.com> on 2015/01/21 09:34:09 UTC

How to avoid XML External Entity (XXE) Vulnerability with Xerces-c++

Hello:  I am using Xerces-c++ 2.7.0. I work with SAX2 interface. 
  I just know about the XXE vulnerability, that is using entity expansion or using external entity attack to consume the resource of an XML parser or slower the parsing time.https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
  I am thinking a method to avoid the attack using XXE, but failed to find a way with Xerces-c++ SAX2.
  First I found that JAXP can disable the doctype in XML. Then I found Xerces-J can disallow an inline DTD. However these two interfaces are of Java.
  I also found that Xerces-c++ support a security manager which can protect too many entity expansion. However this class can be used only in SAXParser class. As I know SAXParser is of SAX. In SAX 2, we use SAX2XMLReader. 
  So it seems I can't find a method to disable or constraint the entity expansion in Xerces-c++ with SAX2.
  Could anyone help me on this issue?
Best Regards  hardrock