That makes sense to me.
So, should we tell the reporter:
===
We do not consider this a problem in the Xalan Transformer. Xalan uses the
system's XMLReader. It is the responsibility of this XMLReader to decide
whether or not to access external resources. You'll see you can reproduce
the behavior like this outside of Xalan:
String xmlInput = "<!DOCTYPE foo [<!ENTITY % xxe SYSTEM \"
http://localhost:8888\";> %xxe;]>";
StreamSource xmlSource = new StreamSource(new
StringReader(xmlInput));
InputSource input = SAXSource.sourceToInputSource(xmlSource);
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.parse(input);
How you configure your system's XMLReader not to access external entities
depends on which XMLReader your system users. For example, if you're using
most JDK's internal Xerces implementation, one option might be to:
System.setProperty("javax.xml.accessExternalDTD", "");
System.setProperty("javax.xml.accessExternalSchema", "");
===
or something like this? I do think it'd be worth documenting this
responsibility somewhere, though it's not super obvious what would be a
good place...
Kind regards,
Arnout Engelen
ASF Security
On Tue, Sep 9, 2025 at 10:49 AM Joseph Kesselman via security <
[email protected]> wrote:
> If that's the position Xerces is taking, then I think Xalan can argue that
> this can be managed by handing Xalan an appropriately configured parser
> rather than having one automatically instantiated.
>
> Which would make the user's wish for an easier solution a feature request
> rather than a bug.
>
> I'm not sure that's the best answer, but it is a consistent answer.
>
> --
> Joe
>
> Car Talk has been advised that the staff opticians, C. F. Eyecare, are now
> under new management. It's Ike and Zeke Leary, now; Lorraine is gone.
> ------------------------------
> *From:* Michael Glavassevich <[email protected]>
> *Sent:* Monday, September 8, 2025 12:23:07 PM
> *To:* [email protected] <[email protected]>
> *Subject:* RE: Question about secure processing
>
> The secure processing feature in Xerces guards against two well known
> denial of service attacks. See implementation details here:
> https://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html.
> Reading external entities is a different concern and can be managed with
> other XML parser configuration (e.g. an EntityResolver).
>
> -----Original Message-----
> From: Joseph Kessselman <[email protected]>
> Sent: August 22, 2025 4:42 PM
> To: [email protected]
> Subject: [EXTERNAL] Re: Question about secure processing
>
> When I replaced the URI in the DTD External Entity reference with a
> legitimate one (pointing to a stub server on my own machine), I did get
> complaints about HTML protocol not being correct ... so apparently this is
> at least trying to open the URI.
>
> If it's actually reading the entity, that could be the basis for a DOS
> attack, if nothing else.
>
> We *should* be running with the secure flag set. I can try debuggerizing
> to confirm.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
