Hello, I am back again with a question from the POI team ... They use XMLBeans to generated a large number of classes that extend org.apache.xmlbeans.impl.values.XmlComplexContentImpl .... which seemed like a place to provide a custom XMLOptions with reader preferences for parsing since it can access signatures that include XMLOptions as an argument
..... but apparently xmlbeans generates those classes and they ask for a recommendation for how to provide a custom XMLOptions object with a large number of generated classes.... Thanks On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote: > OK, thanks... that makes sense... > > ...the term 'feature' I was using from from xerces docs where they use > to term to set parsing options on the SAX DocumentBuilderFactory here: > > http://xerces.apache.org/xerces2-j/features.html > > We've been able show that we can block the vector by setting the > following features there: > > builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, > false); > builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, > false); > builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) > > Now I just have to go find out if POI has a way to get at xmlbeans :) > > Thanks again. > Jp > > > > > > On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote: >> I'm not sure I understand exactly what you're looking for but I'll give >> it a try. >> >> It's possible to pass the exact XML parser that XMLBeans should use, see >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader) >> and >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() >> >> Setting these options to your own parser and resolver should give you >> the full control on what resources XMLBeans operates. >> >> Cezar >> >> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote: >>> Hello. >>> >>> I didn't get a bite on the question below posted to the user@xmlbeans >>> list a couple of weeks ago so I am working up the chain ;) >>> >>> To restate the question, does xmlbeans use 'safe' defaults for xml >>> parsing features to avoid XXE and DTD operations? Both are capable of >>> exposing sensitive system documents and as conduit for XSS. >>> >>> And/or are the setting of parsing features exposed so that users of >>> xmlbeans can set them? >>> >>> >>> From the department of TMI, my immediate interest is in a project that >>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me >>> to xmlbeans.... under the assumption that they have no control over >>> the parsing features used by xmlbeans. >>> >>> Can anyone here provide any insight? >>> >>> Thanks. >>> Jp >>> >>> >>> ---------- Forwarded message ---------- >>> From: Jon Gorrono <jpgorr...@ucdavis.edu> >>> Date: Mon, Jan 14, 2013 at 6:37 PM >>> Subject: XXE >>> To: u...@xmlbeans.apache.org >>> >>> >>> Hello. >>> >>> There's been a lot going around lately about XML External Entity >>> definitions and how they (and related constructs) can be exploited in >>> nefarious ways. >>> >>> Does xmlbeans set safe defaults for 'features' on xml processors? If >>> not, are the base objects accessible to developers (users of xmlbeans) >>> so that processing 'features' can be set? >>> >>> Thanks >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >> > > > > -- > Jon Gorrono > PGP Key: 0x5434509D - > http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} > http{middleware.ucdavis.edu} -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote: > OK, thanks... that makes sense... > > ...the term 'feature' I was using from from xerces docs where they use > to term to set parsing options on the SAX DocumentBuilderFactory here: > > http://xerces.apache.org/xerces2-j/features.html > > We've been able show that we can block the vector by setting the > following features there: > > builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, > false); > builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, > false); > builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) > > Now I just have to go find out if POI has a way to get at xmlbeans :) > > Thanks again. > Jp > > > > > > On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote: >> I'm not sure I understand exactly what you're looking for but I'll give >> it a try. >> >> It's possible to pass the exact XML parser that XMLBeans should use, see >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader) >> and >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() >> >> Setting these options to your own parser and resolver should give you >> the full control on what resources XMLBeans operates. >> >> Cezar >> >> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote: >>> Hello. >>> >>> I didn't get a bite on the question below posted to the user@xmlbeans >>> list a couple of weeks ago so I am working up the chain ;) >>> >>> To restate the question, does xmlbeans use 'safe' defaults for xml >>> parsing features to avoid XXE and DTD operations? Both are capable of >>> exposing sensitive system documents and as conduit for XSS. >>> >>> And/or are the setting of parsing features exposed so that users of >>> xmlbeans can set them? >>> >>> >>> From the department of TMI, my immediate interest is in a project that >>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me >>> to xmlbeans.... under the assumption that they have no control over >>> the parsing features used by xmlbeans. >>> >>> Can anyone here provide any insight? >>> >>> Thanks. >>> Jp >>> >>> >>> ---------- Forwarded message ---------- >>> From: Jon Gorrono <jpgorr...@ucdavis.edu> >>> Date: Mon, Jan 14, 2013 at 6:37 PM >>> Subject: XXE >>> To: u...@xmlbeans.apache.org >>> >>> >>> Hello. >>> >>> There's been a lot going around lately about XML External Entity >>> definitions and how they (and related constructs) can be exploited in >>> nefarious ways. >>> >>> Does xmlbeans set safe defaults for 'features' on xml processors? If >>> not, are the base objects accessible to developers (users of xmlbeans) >>> so that processing 'features' can be set? >>> >>> Thanks >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >> > > > > -- > Jon Gorrono > PGP Key: 0x5434509D - > http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} > http{middleware.ucdavis.edu} -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote: > OK, thanks... that makes sense... > > ...the term 'feature' I was using from from xerces docs where they use > to term to set parsing options on the SAX DocumentBuilderFactory here: > > http://xerces.apache.org/xerces2-j/features.html > > We've been able show that we can block the vector by setting the > following features there: > > builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, > false); > builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, > false); > builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) > > Now I just have to go find out if POI has a way to get at xmlbeans :) > > Thanks again. > Jp > > > > > > On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote: >> I'm not sure I understand exactly what you're looking for but I'll give >> it a try. >> >> It's possible to pass the exact XML parser that XMLBeans should use, see >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader) >> and >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() >> >> Setting these options to your own parser and resolver should give you >> the full control on what resources XMLBeans operates. >> >> Cezar >> >> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote: >>> Hello. >>> >>> I didn't get a bite on the question below posted to the user@xmlbeans >>> list a couple of weeks ago so I am working up the chain ;) >>> >>> To restate the question, does xmlbeans use 'safe' defaults for xml >>> parsing features to avoid XXE and DTD operations? Both are capable of >>> exposing sensitive system documents and as conduit for XSS. >>> >>> And/or are the setting of parsing features exposed so that users of >>> xmlbeans can set them? >>> >>> >>> From the department of TMI, my immediate interest is in a project that >>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me >>> to xmlbeans.... under the assumption that they have no control over >>> the parsing features used by xmlbeans. >>> >>> Can anyone here provide any insight? >>> >>> Thanks. >>> Jp >>> >>> >>> ---------- Forwarded message ---------- >>> From: Jon Gorrono <jpgorr...@ucdavis.edu> >>> Date: Mon, Jan 14, 2013 at 6:37 PM >>> Subject: XXE >>> To: u...@xmlbeans.apache.org >>> >>> >>> Hello. >>> >>> There's been a lot going around lately about XML External Entity >>> definitions and how they (and related constructs) can be exploited in >>> nefarious ways. >>> >>> Does xmlbeans set safe defaults for 'features' on xml processors? If >>> not, are the base objects accessible to developers (users of xmlbeans) >>> so that processing 'features' can be set? >>> >>> Thanks >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >> > > > > -- > Jon Gorrono > PGP Key: 0x5434509D - > http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} > http{middleware.ucdavis.edu} -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} On Fri, Feb 1, 2013 at 12:11 PM, Jon Gorrono <jpgorr...@ucdavis.edu> wrote: > OK, thanks... that makes sense... > > ...the term 'feature' I was using from from xerces docs where they use > to term to set parsing options on the SAX DocumentBuilderFactory here: > > http://xerces.apache.org/xerces2-j/features.html > > We've been able show that we can block the vector by setting the > following features there: > > builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, > false); > builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, > false); > builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) > > Now I just have to go find out if POI has a way to get at xmlbeans :) > > Thanks again. > Jp > > > > > > On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei <cezar.and...@oracle.com> wrote: >> I'm not sure I understand exactly what you're looking for but I'll give >> it a try. >> >> It's possible to pass the exact XML parser that XMLBeans should use, see >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader) >> and >> http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() >> >> Setting these options to your own parser and resolver should give you >> the full control on what resources XMLBeans operates. >> >> Cezar >> >> On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote: >>> Hello. >>> >>> I didn't get a bite on the question below posted to the user@xmlbeans >>> list a couple of weeks ago so I am working up the chain ;) >>> >>> To restate the question, does xmlbeans use 'safe' defaults for xml >>> parsing features to avoid XXE and DTD operations? Both are capable of >>> exposing sensitive system documents and as conduit for XSS. >>> >>> And/or are the setting of parsing features exposed so that users of >>> xmlbeans can set them? >>> >>> >>> From the department of TMI, my immediate interest is in a project that >>> uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me >>> to xmlbeans.... under the assumption that they have no control over >>> the parsing features used by xmlbeans. >>> >>> Can anyone here provide any insight? >>> >>> Thanks. >>> Jp >>> >>> >>> ---------- Forwarded message ---------- >>> From: Jon Gorrono <jpgorr...@ucdavis.edu> >>> Date: Mon, Jan 14, 2013 at 6:37 PM >>> Subject: XXE >>> To: u...@xmlbeans.apache.org >>> >>> >>> Hello. >>> >>> There's been a lot going around lately about XML External Entity >>> definitions and how they (and related constructs) can be exploited in >>> nefarious ways. >>> >>> Does xmlbeans set safe defaults for 'features' on xml processors? If >>> not, are the base objects accessible to developers (users of xmlbeans) >>> so that processing 'features' can be set? >>> >>> Thanks >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> >>> -- >>> Jon Gorrono >>> PGP Key: 0x5434509D - >>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>> http{middleware.ucdavis.edu} >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >>> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org >> For additional commands, e-mail: dev-h...@xmlbeans.apache.org >> > > > > -- > Jon Gorrono > PGP Key: 0x5434509D - > http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} > http{middleware.ucdavis.edu} -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org For additional commands, e-mail: dev-h...@xmlbeans.apache.org
