[
https://issues.apache.org/jira/browse/DAFFODIL-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Beckerle updated DAFFODIL-1422:
------------------------------------
Priority: Critical (was: Major)
> disallow doctype decls in all XML & XSD that we read in
> -------------------------------------------------------
>
> Key: DAFFODIL-1422
> URL: https://issues.apache.org/jira/browse/DAFFODIL-1422
> Project: Daffodil
> Issue Type: Improvement
> Components: API, Back End, Front End
> Affects Versions: 1.1.0
> Reporter: Mike Beckerle
> Priority: Critical
>
> We should be doing this:
> {code}
> spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true)
> {code}
> and simply rejecting things with doctype decls. This would apply to all the
> XML we consume be it a DFDL schema, configuration file, or input data for
> unparsing.
> This is needed because of problems that doctype decls can create where the
> incoming XML can cause the JVM to crash with out-of-memory-errors (OOME).
> See https://en.wikipedia.org/wiki/Billion_laughs for one vulnerability that
> this fixes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
