[jira] [Comment Edited] (UIMA-6064) External DTD usage in XML descriptors disabled during build revision upgrade

Thu, 13 Jun 2019 14:51:29 -0700 


    [ 
https://issues.apache.org/jira/browse/UIMA-6064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16863490#comment-16863490
 ] 

Marshall Schor edited comment on UIMA-6064 at 6/13/19 9:50 PM:
---------------------------------------------------------------

There are 6 xml / sax feature strings in XMLUtils.  Should one switch/flag be 
use to disable/enable all of these?  Or just some?  or do we need multiple 
flags?  Thanks for clarifying.


was (Author: schor):
There are 6 xml / sax feature strings in XMLUtils.  Should one switch/flag be 
use to disable/endable all of these?  Or just some?  or do we need multiple 
flags?  Thanks for clarifying.

> External DTD usage in XML descriptors disabled during build revision upgrade
> ----------------------------------------------------------------------------
>
>                 Key: UIMA-6064
>                 URL: https://issues.apache.org/jira/browse/UIMA-6064
>             Project: UIMA
>          Issue Type: Bug
>          Components: Core Java Framework
>    Affects Versions: 2.10.2SDK
>            Reporter: Timo Boehme
>            Priority: Major
>
> Between version 2.10.1 and 2.10.2 the XMLParser configuration was changed 
> (fixed, without the possibility to adjust it) to not allow for DTD and its 
> loading from external file.
> This is done in XMLUtils.createSAXParserFactory() which sets the 
> DISALLOW_DOCTYPE_DECL and LOAD_EXTERNAL_DTD feature. Before the 
> SAXParserFactory was created without adjusting these features.
> While I understand that this was done to prevent malicious XML from doing 
> nasty things, the kind how it was done is problematic:
>  * the change happened in a revision build, no major or minor number change
>  * it was not documented
>  * one cannot simply change it back like using an environment variable, 
> method call etc. - the only workaround is to do a problematic sub-classing of 
> XMLParser_impl with additional configuration etc.
> We use the DTDs for CPE descriptors quite a lot to have the descriptor in 
> modular chunks using entities etc. Thus it is important (for the time being) 
> to use DTD there - and we know that the XML is not problematic.
> Because this feature (DTD) is crucial I have marked this as a BUG since such 
> changes should not occur in a build upgrade or it should at least be possible 
> to get the old behavior easily back.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to