Hello, I am back again with a question from the POI team ...

They use XMLBeans to generated a large number of classes that extend
org.apache.xmlbeans.impl.values.XmlComplexContentImpl .... which
seemed like a place to provide a custom XMLOptions with reader
preferences for parsing since it can access signatures that include
XMLOptions as an argument

..... but apparently xmlbeans generates those classes and they ask for
a recommendation for how to provide a custom XMLOptions object with a
large number of generated classes....

Thanks

On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote:
> OK, thanks... that makes sense...
>
> ...the term 'feature' I was using from from xerces docs where they use
> to term to set parsing options on the SAX DocumentBuilderFactory here:
>
> http://xerces.apache.org/xerces2-j/features.html
>
> We've been able show that we can block the vector by setting the
> following features there:
>
> builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
> builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
>
> Now I just have to go find out if POI has a way to get at xmlbeans :)
>
> Thanks again.
> Jp
>
>
>
>
>
> On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote:
>> I'm not sure I understand exactly what you're looking for but I'll give
>> it a try.
>>
>> It's possible to pass the exact XML parser that XMLBeans should use, see
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader)
>> and
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()
>>
>> Setting these options to your own parser and resolver should give you
>> the full control on what resources XMLBeans operates.
>>
>> Cezar
>>
>> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote:
>>> Hello.
>>>
>>> I didn't get a bite on the question below posted to the user@xmlbeans
>>> list a couple of weeks ago so I am working up the chain ;)
>>>
>>> To restate the question, does xmlbeans use 'safe' defaults for xml
>>> parsing features to avoid XXE and DTD operations? Both are capable of
>>> exposing sensitive system documents and as conduit for XSS.
>>>
>>> And/or are the setting of parsing features exposed so that users of
>>> xmlbeans can set them?
>>>
>>>
>>> From the department of TMI, my immediate interest is in a project that
>>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
>>> to xmlbeans.... under the assumption that they have no control over
>>> the parsing features used by xmlbeans.
>>>
>>> Can anyone here provide any insight?
>>>
>>> Thanks.
>>> Jp
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jon Gorrono <jpgorr...@ucdavis.edu>
>>> Date: Mon, Jan 14, 2013 at 6:37 PM
>>> Subject: XXE
>>> To: u...@xmlbeans.apache.org
>>>
>>>
>>> Hello.
>>>
>>> There's been a lot going around lately about XML External Entity
>>> definitions and how they (and related constructs) can be exploited in
>>> nefarious ways.
>>>
>>> Does xmlbeans set safe defaults for 'features' on xml processors? If
>>> not, are the base objects accessible to developers (users of xmlbeans)
>>> so that processing 'features' can be set?
>>>
>>> Thanks
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>
>
>
>
> --
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
> http{middleware.ucdavis.edu}



--
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
http{middleware.ucdavis.edu}

On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote:
> OK, thanks... that makes sense...
>
> ...the term 'feature' I was using from from xerces docs where they use
> to term to set parsing options on the SAX DocumentBuilderFactory here:
>
> http://xerces.apache.org/xerces2-j/features.html
>
> We've been able show that we can block the vector by setting the
> following features there:
>
> builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
> builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
>
> Now I just have to go find out if POI has a way to get at xmlbeans :)
>
> Thanks again.
> Jp
>
>
>
>
>
> On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote:
>> I'm not sure I understand exactly what you're looking for but I'll give
>> it a try.
>>
>> It's possible to pass the exact XML parser that XMLBeans should use, see
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader)
>> and
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()
>>
>> Setting these options to your own parser and resolver should give you
>> the full control on what resources XMLBeans operates.
>>
>> Cezar
>>
>> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote:
>>> Hello.
>>>
>>> I didn't get a bite on the question below posted to the user@xmlbeans
>>> list a couple of weeks ago so I am working up the chain ;)
>>>
>>> To restate the question, does xmlbeans use 'safe' defaults for xml
>>> parsing features to avoid XXE and DTD operations? Both are capable of
>>> exposing sensitive system documents and as conduit for XSS.
>>>
>>> And/or are the setting of parsing features exposed so that users of
>>> xmlbeans can set them?
>>>
>>>
>>> From the department of TMI, my immediate interest is in a project that
>>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
>>> to xmlbeans.... under the assumption that they have no control over
>>> the parsing features used by xmlbeans.
>>>
>>> Can anyone here provide any insight?
>>>
>>> Thanks.
>>> Jp
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jon Gorrono <jpgorr...@ucdavis.edu>
>>> Date: Mon, Jan 14, 2013 at 6:37 PM
>>> Subject: XXE
>>> To: u...@xmlbeans.apache.org
>>>
>>>
>>> Hello.
>>>
>>> There's been a lot going around lately about XML External Entity
>>> definitions and how they (and related constructs) can be exploited in
>>> nefarious ways.
>>>
>>> Does xmlbeans set safe defaults for 'features' on xml processors? If
>>> not, are the base objects accessible to developers (users of xmlbeans)
>>> so that processing 'features' can be set?
>>>
>>> Thanks
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>
>
>
>
> --
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
> http{middleware.ucdavis.edu}



--
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
http{middleware.ucdavis.edu}

On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote:
> OK, thanks... that makes sense...
>
> ...the term 'feature' I was using from from xerces docs where they use
> to term to set parsing options on the SAX DocumentBuilderFactory here:
>
> http://xerces.apache.org/xerces2-j/features.html
>
> We've been able show that we can block the vector by setting the
> following features there:
>
> builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
> builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
>
> Now I just have to go find out if POI has a way to get at xmlbeans :)
>
> Thanks again.
> Jp
>
>
>
>
>
> On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote:
>> I'm not sure I understand exactly what you're looking for but I'll give
>> it a try.
>>
>> It's possible to pass the exact XML parser that XMLBeans should use, see
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader)
>> and
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()
>>
>> Setting these options to your own parser and resolver should give you
>> the full control on what resources XMLBeans operates.
>>
>> Cezar
>>
>> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote:
>>> Hello.
>>>
>>> I didn't get a bite on the question below posted to the user@xmlbeans
>>> list a couple of weeks ago so I am working up the chain ;)
>>>
>>> To restate the question, does xmlbeans use 'safe' defaults for xml
>>> parsing features to avoid XXE and DTD operations? Both are capable of
>>> exposing sensitive system documents and as conduit for XSS.
>>>
>>> And/or are the setting of parsing features exposed so that users of
>>> xmlbeans can set them?
>>>
>>>
>>> From the department of TMI, my immediate interest is in a project that
>>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
>>> to xmlbeans.... under the assumption that they have no control over
>>> the parsing features used by xmlbeans.
>>>
>>> Can anyone here provide any insight?
>>>
>>> Thanks.
>>> Jp
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jon Gorrono <jpgorr...@ucdavis.edu>
>>> Date: Mon, Jan 14, 2013 at 6:37 PM
>>> Subject: XXE
>>> To: u...@xmlbeans.apache.org
>>>
>>>
>>> Hello.
>>>
>>> There's been a lot going around lately about XML External Entity
>>> definitions and how they (and related constructs) can be exploited in
>>> nefarious ways.
>>>
>>> Does xmlbeans set safe defaults for 'features' on xml processors? If
>>> not, are the base objects accessible to developers (users of xmlbeans)
>>> so that processing 'features' can be set?
>>>
>>> Thanks
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>
>
>
>
> --
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
> http{middleware.ucdavis.edu}



--
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
http{middleware.ucdavis.edu}

On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote:
> OK, thanks... that makes sense...
>
> ...the term 'feature' I was using from from xerces docs where they use
> to term to set parsing options on the SAX DocumentBuilderFactory here:
>
> http://xerces.apache.org/xerces2-j/features.html
>
> We've been able show that we can block the vector by setting the
> following features there:
>
> builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
> builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
>
> Now I just have to go find out if POI has a way to get at xmlbeans :)
>
> Thanks again.
> Jp
>
>
>
>
>
> On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote:
>> I'm not sure I understand exactly what you're looking for but I'll give
>> it a try.
>>
>> It's possible to pass the exact XML parser that XMLBeans should use, see
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader)
>> and
>> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()
>>
>> Setting these options to your own parser and resolver should give you
>> the full control on what resources XMLBeans operates.
>>
>> Cezar
>>
>> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote:
>>> Hello.
>>>
>>> I didn't get a bite on the question below posted to the user@xmlbeans
>>> list a couple of weeks ago so I am working up the chain ;)
>>>
>>> To restate the question, does xmlbeans use 'safe' defaults for xml
>>> parsing features to avoid XXE and DTD operations? Both are capable of
>>> exposing sensitive system documents and as conduit for XSS.
>>>
>>> And/or are the setting of parsing features exposed so that users of
>>> xmlbeans can set them?
>>>
>>>
>>> From the department of TMI, my immediate interest is in a project that
>>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
>>> to xmlbeans.... under the assumption that they have no control over
>>> the parsing features used by xmlbeans.
>>>
>>> Can anyone here provide any insight?
>>>
>>> Thanks.
>>> Jp
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jon Gorrono <jpgorr...@ucdavis.edu>
>>> Date: Mon, Jan 14, 2013 at 6:37 PM
>>> Subject: XXE
>>> To: u...@xmlbeans.apache.org
>>>
>>>
>>> Hello.
>>>
>>> There's been a lot going around lately about XML External Entity
>>> definitions and how they (and related constructs) can be exploited in
>>> nefarious ways.
>>>
>>> Does xmlbeans set safe defaults for 'features' on xml processors? If
>>> not, are the base objects accessible to developers (users of xmlbeans)
>>> so that processing 'features' can be set?
>>>
>>> Thanks
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>>
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org
>>
>
>
>
> --
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
> http{middleware.ucdavis.edu}



-- 
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
http{middleware.ucdavis.edu}

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
For additional commands, e-mail: dev-h...@xmlbeans.apache.org

Reply via email to