[teiid-issues] [JBoss JIRA] (TEIID-2911) Guard against external entity resolving
Steven Hawkins (JIRA)
issues at jboss.org
Tue Apr 1 20:01:13 EDT 2014
[ https://issues.jboss.org/browse/TEIID-2911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven Hawkins updated TEIID-2911:
----------------------------------
Summary: Guard against external entity resolving (was: Applications that expose RESTEasy XML endpoints)
Fix Version/s: 8.4.2
8.7
Description:
if applications that expose RESTEasy XML endpoints, add the following snippet to their web.xml file to disable entity expansion in RESTEasy:
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
However this is not sufficient for OData as OData4j is responsible for parsing the Atom feed. StaxXMLFactoryProvider2 simply creates XMLInputFactories without any options, thus they will perform external entity resolving by default. An issue will need to be opened against OData4j.
For SQL/XML, the XMLType input factory needs to disable external entity resolving (via experimentation just setting the relevant property doesn't always work, so like other projects we'll set an XMLResolver, which does work).
was:
if applications that expose RESTEasy XML endpoints, add the following snippet to their web.xml file to disable entity expansion in RESTEasy:
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
Affects Version/s: 8.4
7.7
(was: 8.4.1)
(was: 8.7)
(was: 8.7.1)
Component/s: Query Engine
> Guard against external entity resolving
> ---------------------------------------
>
> Key: TEIID-2911
> URL: https://issues.jboss.org/browse/TEIID-2911
> Project: Teiid
> Issue Type: Bug
> Components: OData, Query Engine
> Affects Versions: 7.7, 8.4
> Reporter: Van Halbert
> Assignee: Steven Hawkins
> Priority: Critical
> Fix For: 8.4.2, 8.7
>
>
> if applications that expose RESTEasy XML endpoints, add the following snippet to their web.xml file to disable entity expansion in RESTEasy:
> <context-param>
> <param-name>resteasy.document.expand.entity.references</param-name>
> <param-value>false</param-value>
> </context-param>
> Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
> However this is not sufficient for OData as OData4j is responsible for parsing the Atom feed. StaxXMLFactoryProvider2 simply creates XMLInputFactories without any options, thus they will perform external entity resolving by default. An issue will need to be opened against OData4j.
> For SQL/XML, the XMLType input factory needs to disable external entity resolving (via experimentation just setting the relevant property doesn't always work, so like other projects we'll set an XMLResolver, which does work).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list