Hello Developers, Several developers have raised some concerns about potential system entity expansion with MarkLogic. There are some things to keep in mind when thinking about this.
Since MarkLogic is a database management system, it works with the operating system to provide high levels of security. In this case, only files that have appropriate file permissions can be loaded in this manner (for example: <!ENTITY xxe SYSTEM "file:///c:/text.xml" >). Files have to be able to be readable by daemon on Linux and the equivalent on Windows or this will generate an exception. This capability is part of the xml specification and MarkLogic tries to support standards wherever possible. Any APIs which are used to manipulate entities (e.g., xdmp:document-insert) are all protected by MarkLogic's granular user-role-permissions security model. That said, we do want to respond to any customer and developer concerns, so we are looking into a trace event which would allow developers to enable or disable system entity expansion. This would enable developers to have exact control over the behavior, as they should. Have a great rest of your week. Regards, Trinh Trinh N. Lieu Senior Manager, Developer Community MarkLogic Corporation [email protected]<mailto:[email protected]> Phone: 703.854.8561 www.marklogic.com<http://www.marklogic.com/> [MLW18_EmailSignature-for PCs]<http://www.cvent.com/d/4tq5tr> This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation.
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
