[jbossws-issues] [JBoss JIRA] Updated: (JBWS-1582) Externalize parser properties
Thomas Diesler (JIRA)
jira-events at lists.jboss.org
Wed Jan 16 13:04:22 EST 2008
[ http://jira.jboss.com/jira/browse/JBWS-1582?page=all ]
Thomas Diesler updated JBWS-1582:
---------------------------------
Fix Version/s: jbossws-3.x
(was: jbossws-3.0.1)
> Externalize parser properties
> -----------------------------
>
> Key: JBWS-1582
> URL: http://jira.jboss.com/jira/browse/JBWS-1582
> Project: JBoss Web Services
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: jbossws-native
> Reporter: Thomas Diesler
> Assigned To: Thomas Diesler
> Priority: Critical
> Fix For: jbossws-3.x
>
>
> A question has come up around the dtd entity parsing denial of service issue raised here:
> http://www-128.ibm.com/developerworks/xml/library/x-tipcfsx.html
> http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security
> Are we allowing for the use of the parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) to limit the defaults?
> What about disabling doctypes via the http://apache.org/xml/features/disallow-doctype-decl feature:
> http://xerces.apache.org/xerces2-j/features.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbossws-issues
mailing list