Re: [jibx-users] Disabling External Entity Resolution

Wed, 13 Mar 2013 12:31:36 -0700 

Hi Vinay,
I believe the XmlPullParser implementation does not support external entities at all, so that should be fine. For StAX parsers (either the standard javax.xml.stream implementation provided in recent JDKs, or the WoodStox implementation) this is controlled by the javax.xml.stream.isSupportingExternalEntities property. It looks like JiBX doesn't set this, and the default setting is unspecified (though as far as I know it actually defaults to FALSE in all the implementations), so to be completely safe you should probably modify the org.jibx.runtime.impl.StAXReaderFactory to set it to java.Boolean.FALSE on the StAXReaderFactory intstance. I should probably make this change part of the standard code, since I doubt anyone is actually using external entities. 

Regards,

  - Dennis

Dennis M. Sosnoski
Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>

CXF and Web Services Security Training 
<http://www.sosnoski.com/training.html>

Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>

On 03/07/2013 12:06 PM, Vinay Pothnis wrote:

Hello,


I am using JiBX for marshalling/unmarshalling XML. I would like to 
disable external entity resolution to basically protect against 
attacks based on external entity resolution. 
https://www.owasp.org/images/5/5d/XML_Exteral_Entity_Attack.pdf



Could you please provide me some pointers on how to go about this with 
JiBX?


Thanks
Vinay


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev


_______________________________________________
jibx-users mailing list
jibx-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jibx-users



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
jibx-users mailing list
jibx-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jibx-users






















					Reply via email to