[
https://issues.apache.org/jira/browse/UIMA-6064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timo Boehme updated UIMA-6064:
------------------------------
Description:
Between version 2.10.1 and 2.10.2 the XMLParser configuration was changed
(fixed, without the possibility to adjust it) to not allow for DTD and its
loading from external file.
This is done in XMLUtils.createSAXParserFactory() which sets the
DISALLOW_DOCTYPE_DECL and LOAD_EXTERNAL_DTD feature. Before the
SAXParserFactory was created without adjusting these features.
While I understand that this was done to prevent malicious XML from doing nasty
things, the kind how it was done is problematic:
* the change happened in a revision build, no major or minor number change
* it was not documented
* one cannot simply change it back like using an environment variable, method
call etc. - the only workaround is to do a problematic sub-classing of
XMLParser_impl with additional configuration etc.
We use the DTDs for CPE descriptors quite a lot to have the descriptor in
modular chunks using entities etc. Thus it is important (for the time being) to
use DTD there - and we know that the XML is not problematic.
Because this feature (DTD) is crucial I have marked this as a BUG since such
changes should not occur in a build upgrade or it should at least be possible
to get the old behavior easily back.
was:
Between version 2.10.1 and 2.10.2 the XMLParser configuration was changed
(fixed, without the possibility to adjust it) to not allow for DTD and its
loading from external file.
This is done in XMLUtils.createSAXParserFactory() which sets the
DISALLOW_DOCTYPE_DECL and LOAD_EXTERNAL_DTD feature. Before the
SAXParserFactory was created without adjusting these features.
While I understand that this was done to prevent malicious XML from doing nasty
things, the kind how it was done is problematic:
* the change happened in a revision build, no major or minor number change
* it was not documented
* one cannot simply change it back like using an environment variable, method
call etc. - the only workaround is to do a problematic sub-classing of
XMLParser_impl with additional configuration etc.
We use the DTDs for CPE descriptors white a lot to have the descriptor in
modular chunks using entities etc. Thus it is quite important (for the time
being) to use DTD there - and we know that the XML is not problematic.
Because this feature (DTD) is crucial I have marked this as a BUG since such
changes should not occur in a build upgrade or it should at least be possible
to get the old behavior easily back.
> External DTD usage in XML descriptors disabled during build revision upgrade
> ----------------------------------------------------------------------------
>
> Key: UIMA-6064
> URL: https://issues.apache.org/jira/browse/UIMA-6064
> Project: UIMA
> Issue Type: Bug
> Components: Core Java Framework
> Affects Versions: 2.10.2SDK
> Reporter: Timo Boehme
> Priority: Major
>
> Between version 2.10.1 and 2.10.2 the XMLParser configuration was changed
> (fixed, without the possibility to adjust it) to not allow for DTD and its
> loading from external file.
> This is done in XMLUtils.createSAXParserFactory() which sets the
> DISALLOW_DOCTYPE_DECL and LOAD_EXTERNAL_DTD feature. Before the
> SAXParserFactory was created without adjusting these features.
> While I understand that this was done to prevent malicious XML from doing
> nasty things, the kind how it was done is problematic:
> * the change happened in a revision build, no major or minor number change
> * it was not documented
> * one cannot simply change it back like using an environment variable,
> method call etc. - the only workaround is to do a problematic sub-classing of
> XMLParser_impl with additional configuration etc.
> We use the DTDs for CPE descriptors quite a lot to have the descriptor in
> modular chunks using entities etc. Thus it is important (for the time being)
> to use DTD there - and we know that the XML is not problematic.
> Because this feature (DTD) is crucial I have marked this as a BUG since such
> changes should not occur in a build upgrade or it should at least be possible
> to get the old behavior easily back.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
