You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by sn...@apache.org on 2005/06/25 00:55:57 UTC
cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
snichol 2005/06/24 15:55:57
Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
Log:
Default expandEntityReferences to true.
Revision Changes Path
1.12 +2 -2 ws-soap/java/src/org/apache/soap/util/xml/XMLParserUtils.java
Index: XMLParserUtils.java
===================================================================
RCS file: /home/cvs/ws-soap/java/src/org/apache/soap/util/xml/XMLParserUtils.java,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- XMLParserUtils.java 7 Apr 2004 20:51:40 -0000 1.11
+++ XMLParserUtils.java 24 Jun 2005 22:55:57 -0000 1.12
@@ -47,7 +47,7 @@
static {
// Create a default instance.
- refreshDocumentBuilderFactory(null, true, false, false);
+ refreshDocumentBuilderFactory(null, true, false, true);
}
/**
@@ -77,7 +77,7 @@
refreshDocumentBuilderFactory(factoryClassName,
namespaceAware,
validating,
- validating);
+ true);
}
/**
Re: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
Posted by Scott Nichol <sn...@scottnichol.com>.
This does not mean I am punting. I am changing this for now, but will try to come up with better code that protects against DOS *and* correctly expands common entities.
Scott Nichol
Do not send e-mail directly to this e-mail address,
because it is filtered to accept only mail from
specific mail lists.
----- Original Message -----
From: "Scott Nichol" <sn...@scottnichol.com>
To: <so...@ws.apache.org>
Sent: Saturday, June 25, 2005 10:38 PM
Subject: Re: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
Yes, it was, but the unfortunate side effect is that entities like < and " are ignored rather than expanded, which breaks any calls where such entities appear in character data.
Scott Nichol
Do not send e-mail directly to this e-mail address,
because it is filtered to accept only mail from
specific mail lists.
----- Original Message -----
From: "WJCarpenter" <bi...@carpenter.ORG>
To: <so...@ws.apache.org>
Sent: Saturday, June 25, 2005 3:00 PM
Subject: RE: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
> sn> Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
> sn> Log: Default expandEntityReferences to true.
>
> Wasn't that changed to false a while back to thwart DOS stuff in
> malicious XML or something? (I might be misremembering this from some
> other context.)
> --
> bill-soap@carpenter.ORG (WJCarpenter) PGP 0x91865119
> 38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3
>
>
Re: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
Posted by Scott Nichol <sn...@scottnichol.com>.
Yes, it was, but the unfortunate side effect is that entities like < and " are ignored rather than expanded, which breaks any calls where such entities appear in character data.
Scott Nichol
Do not send e-mail directly to this e-mail address,
because it is filtered to accept only mail from
specific mail lists.
----- Original Message -----
From: "WJCarpenter" <bi...@carpenter.ORG>
To: <so...@ws.apache.org>
Sent: Saturday, June 25, 2005 3:00 PM
Subject: RE: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
> sn> Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
> sn> Log: Default expandEntityReferences to true.
>
> Wasn't that changed to false a while back to thwart DOS stuff in
> malicious XML or something? (I might be misremembering this from some
> other context.)
> --
> bill-soap@carpenter.ORG (WJCarpenter) PGP 0x91865119
> 38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3
>
>
RE: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java
Posted by WJCarpenter <bi...@carpenter.ORG>.
sn> Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
sn> Log: Default expandEntityReferences to true.
Wasn't that changed to false a while back to thwart DOS stuff in
malicious XML or something? (I might be misremembering this from some
other context.)
--
bill-soap@carpenter.ORG (WJCarpenter) PGP 0x91865119
38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3