"yilmaz_" wrote : That is not true. Scheme provides validation templates for
your xml file.
Right, but the point is, if the parser can't find the schema file, it doesn't try
to fetch it over the net.
"yilmaz_" wrote : If dom4j can not find it. It downloads it from internet.
And I'm making the point that that is a bad thing.
"yilmaz_" wrote : I think this guy has no knowlegde about this or he has some
serious configuration issues.
Well, obviously the configuration issue is that there is an error in a pages.xml file.
What's bad is how this system responded to the error.
A good response: "In the file pages.xml, you refer to DTD: http://... which isn't
in the classpath."
A bad response: silently making an outgoing network connection, and then failing with a
"no route to host" error without even telling me which file it's trying to
get.
And then I go on to make the point that if any website is using dom4j to parse
user-supplied XML documents, it's possible to create a document which contains a line
with a malicious DTD URL, and that could in fact be exploitable.
I perfectly understand about DTDs, but you can expect, especially in a large application,
there could be some pages.xml file somewhere that's still using an old DTD when
switching to a newer version of the JSF jar or whatever, and that can result in one
behaviour with a network connection and a different behaviour without, which is really
bad.
dom4j shouldn't be doing this kind of thing.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116133#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...