[jdom-interest] How to disable <!DOCTYPE > parsing
raff at aromatic.org
Thu Dec 16 17:13:17 PST 2004
Great! Thanks! (and sorry if I didn't look at the FAQ before ):
On Thu, 16 Dec 2004, Jason Hunter wrote:
> (I'm quick with the FAQ pointers today.)
> Raffaele Sena wrote:
> > I am pretty sure this is not a specific JDOM problem but I wanted to see
> > if any of you has an idea.
> > I am parsing some XML data using JDOM and SAXBuilder. The data is posted
> > by a web client to execute some server-side APIs. The format is very
> > simple so I don't have a DTD or schema for it. Also, I parse the document
> > with no validation (since I don't have a DTD to validate against).
> > Somebody, to test our "security holes" came up with the idea of passing a
> > <!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know,
> > the XML parser, validation or not, tries to access it (so they claim is a
> > security hole because they can generate accesses from our server to
> > whatever server they put in the DTD URL. Pretty clever actually!)
> > Again, I think this is a problem with the XML parser I am using. I found
> > out that Xalan has a special "feature" to disable DTD parsing (but I
> > didn't try because I don't want to use Xalan for this).
> > First of all, should this happen if validation is disabled ?
> > If that's out of JDOM control, can anybody think of a way to disable this
> > at the XML parser level (maybe subclassing some handler ?)
> > Thanks!
> > -- Raffaele
> > _______________________________________________
> > To control your jdom-interest membership:
> > http://firstname.lastname@example.org
> To control your jdom-interest membership:
More information about the jdom-interest