Hi Vinay,
I believe the XmlPullParser implementation does not support external
entities at all, so that should be fine. For StAX parsers (either the
standard javax.xml.stream implementation provided in recent JDKs, or the
WoodStox implementation) this is controlled by the
javax.xml.stream.isSupportingExternalEntities property. It looks like
JiBX doesn't set this, and the default setting is unspecified (though as
far as I know it actually defaults to FALSE in all the implementations),
so to be completely safe you should probably modify the
org.jibx.runtime.impl.StAXReaderFactory to set it to java.Boolean.FALSE
on the StAXReaderFactory intstance. I should probably make this change
part of the standard code, since I doubt anyone is actually using
external entities.
Regards,
- Dennis
Dennis M. Sosnoski
Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
On 03/07/2013 12:06 PM, Vinay Pothnis wrote:
Hello,
I am using JiBX for marshalling/unmarshalling XML. I would like to
disable external entity resolution to basically protect against
attacks based on external entity resolution.
https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf
Could you please provide me some pointers on how to go about this with
JiBX?
Thanks
Vinay
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
jibx-users mailing list
jibx-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jibx-users
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
jibx-users mailing list
jibx-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jibx-users