[
https://jira.jboss.org/jira/browse/JBWS-1582?page=com.atlassian.jira.plug...
]
Richard Opalka reopened JBWS-1582:
----------------------------------
Externalize parser properties
-----------------------------
Key: JBWS-1582
URL:
https://jira.jboss.org/jira/browse/JBWS-1582
Project: JBoss Web Services
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: jbossws-native
Affects Versions: jbossws-native-3.1.1
Reporter: Thomas Diesler
Assignee: Richard Opalka
Fix For: jbossws-native-3.1.2
A question has come up around the dtd entity parsing denial of service issue raised
here:
http://www-128.ibm.com/developerworks/xml/library/x-tipcfsx.html
http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150...
Are we allowing for the use of the
parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) to limit the defaults?
What about disabling doctypes via the
http://apache.org/xml/features/disallow-doctype-decl feature:
http://xerces.apache.org/xerces2-j/features.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira