[jdom-interest] How to disable <!DOCTYPE > parsing
jhunter at xquery.com
Thu Dec 16 16:45:17 PST 2004
(I'm quick with the FAQ pointers today.)
Raffaele Sena wrote:
> I am pretty sure this is not a specific JDOM problem but I wanted to see
> if any of you has an idea.
> I am parsing some XML data using JDOM and SAXBuilder. The data is posted
> by a web client to execute some server-side APIs. The format is very
> simple so I don't have a DTD or schema for it. Also, I parse the document
> with no validation (since I don't have a DTD to validate against).
> Somebody, to test our "security holes" came up with the idea of passing a
> <!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know,
> the XML parser, validation or not, tries to access it (so they claim is a
> security hole because they can generate accesses from our server to
> whatever server they put in the DTD URL. Pretty clever actually!)
> Again, I think this is a problem with the XML parser I am using. I found
> out that Xalan has a special "feature" to disable DTD parsing (but I
> didn't try because I don't want to use Xalan for this).
> First of all, should this happen if validation is disabled ?
> If that's out of JDOM control, can anybody think of a way to disable this
> at the XML parser level (maybe subclassing some handler ?)
> -- Raffaele
> To control your jdom-interest membership:
More information about the jdom-interest