[teiid-issues] [JBoss JIRA] (TEIID-2911) Applications that expose RESTEasy XML endpoints
Steven Hawkins (JIRA)
issues at jboss.org
Mon Mar 31 13:44:12 EDT 2014
[ https://issues.jboss.org/browse/TEIID-2911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12957871#comment-12957871 ]
Steven Hawkins commented on TEIID-2911:
---------------------------------------
In looking at this a bit more, I believe the entity expansion is taking place in the odata4j layer - not RESTEasy. As you dig through the parser is created with XMLInputFactory.newInstance(), which I believe we would need to get javax.xml.stream.isSupportingExternalEntities=false passed to. The default is unspecified so I'm not sure if woodstox supports that by default or if there is a system wide way to disable. I believe the same would hold true for Teiid's own usage of XMLInputFactory.newInstance - it may be allowing SQL/XML to resolve external entities as well.
> Applications that expose RESTEasy XML endpoints
> -----------------------------------------------
>
> Key: TEIID-2911
> URL: https://issues.jboss.org/browse/TEIID-2911
> Project: Teiid
> Issue Type: Bug
> Components: OData
> Affects Versions: 8.4.1, 8.7, 8.7.1
> Reporter: Van Halbert
> Assignee: Steven Hawkins
> Priority: Critical
>
> if applications that expose RESTEasy XML endpoints, add the following snippet to their web.xml file to disable entity expansion in RESTEasy:
> <context-param>
> <param-name>resteasy.document.expand.entity.references</param-name>
> <param-value>false</param-value>
> </context-param>
> Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list