[jboss-user] [JBoss Seam] - Re: Don't use DTDs in your .xml files

[EricJava]

"yilmaz_" wrote : That is not true. Scheme provides validation templates for your xml file.

Right, but the point is, if the parser can't find the schema file, it doesn't try to fetch it over the net.

"yilmaz_" wrote :  If dom4j can not find it. It downloads it from internet.

And I'm making the point that that is a bad thing.

"yilmaz_" wrote :  I think this guy has no knowlegde about this or he has some serious configuration issues.

Well, obviously the configuration issue is that there is an error in a pages.xml file.  What's bad is how this system responded to the error.

A good response: "In the file pages.xml, you refer to DTD: http://... which isn't in the classpath."

A bad response: silently making an outgoing network connection, and then failing with a "no route to host" error without even telling me which file it's trying to get.

And then I go on to make the point that if any website is using dom4j to parse user-supplied XML documents, it's possible to create a document which contains a line with a malicious DTD URL, and that could in fact be exploitable.

I perfectly understand about DTDs, but you can expect, especially in a large application, there could be some pages.xml file somewhere that's still using an old DTD when switching to a newer version of the JSF jar or whatever, and that can result in one behaviour with a network connection and a different behaviour without, which is really bad.

dom4j shouldn't be doing this kind of thing.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116133#4116133

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4116133