OK, thanks... that makes sense... ...the term 'feature' I was using from from xerces docs where they use to term to set parsing options on the SAX DocumentBuilderFactory here:
http://xerces.apache.org/xerces2-j/features.html We've been able show that we can block the vector by setting the following features there: builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false); builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) Now I just have to go find out if POI has a way to get at xmlbeans :) Thanks again. Jp On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote: > I'm not sure I understand exactly what you're looking for but I'll give > it a try. > > It's possible to pass the exact XML parser that XMLBeans should use, see > http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader) > and > http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() > > Setting these options to your own parser and resolver should give you > the full control on what resources XMLBeans operates. > > Cezar > > On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote: >> Hello. >> >> I didn't get a bite on the question below posted to the user@xmlbeans >> list a couple of weeks ago so I am working up the chain ;) >> >> To restate the question, does xmlbeans use 'safe' defaults for xml >> parsing features to avoid XXE and DTD operations? Both are capable of >> exposing sensitive system documents and as conduit for XSS. >> >> And/or are the setting of parsing features exposed so that users of >> xmlbeans can set them? >> >> >> From the department of TMI, my immediate interest is in a project that >> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me >> to xmlbeans.... under the assumption that they have no control over >> the parsing features used by xmlbeans. >> >> Can anyone here provide any insight? >> >> Thanks. >> Jp >> >> >> ---------- Forwarded message ---------- >> From: Jon Gorrono <jpgorr...@ucdavis.edu> >> Date: Mon, Jan 14, 2013 at 6:37 PM >> Subject: XXE >> To: u...@xmlbeans.apache.org >> >> >> Hello. >> >> There's been a lot going around lately about XML External Entity >> definitions and how they (and related constructs) can be exploited in >> nefarious ways. >> >> Does xmlbeans set safe defaults for 'features' on xml processors? If >> not, are the base objects accessible to developers (users of xmlbeans) >> so that processing 'features' can be set? >> >> Thanks >> >> >> -- >> Jon Gorrono >> PGP Key: 0x5434509D - >> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >> http{middleware.ucdavis.edu} >> >> >> -- >> Jon Gorrono >> PGP Key: 0x5434509D - >> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >> http{middleware.ucdavis.edu} >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org > For additional commands, e-mail: dev-h...@xmlbeans.apache.org > -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org For additional commands, e-mail: dev-h...@xmlbeans.apache.org
