You are welcome to add one, the Hint DISABLE_EXTERNAL_ENTITIES is listed in
the javadoc for DocumentFactory linked above (and there are example of use
in the test cases).

Another approach is to look at the source code for
PreventLocalEntityResolver and make one that is even more restrictive.

Keep in mind that this is for one of our earlier XML parser which is now
pretty much only used by gt-wms. I already feel a bit uncomfortable
changing the default to use PreventLocalEntityResolver.

--
Jody Garnett

On 16 October 2016 at 16:33, Ben Caradoc-Davies <b...@transient.nz> wrote:

> Jody,
>
> do we have an example of how to use Hints to prevent remote external
> entity resolution? This is another type of XXE vulnerability. Some users
> may wish to parse untrusted XML documents without the risk of, for example,
> triggering malicious REST calls against their internal network.
>
> Kind regards,
> Ben.
>
>
> On 17/10/16 07:53, Jody Garnett wrote:
>
>> Ben we prevent resolving to local files by default, but we so resolve to
>> external ones.
>> On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies <b...@transient.nz>
>> wrote:
>>
>> Indeed, and thanks for the detailed docs.
>>>
>>> There are situations where XML external entity resolution is necessary;
>>> users must consider the vulnerabilities inherent in resolving XML
>>> external entities in untrusted documents. Disabling external entity
>>> resolution is a safe default.
>>>
>>> Kind regards,
>>> Ben.
>>>
>>> On 16/10/16 11:27, Jody Garnett wrote:
>>>
>>>> Fair correction ben, but we do instructions for turning the security
>>>> vulnerability back on :)
>>>>
>>>
>>> --
>>> Ben Caradoc-Davies <b...@transient.nz>
>>> Director
>>> Transient Software Limited <http://transient.nz/>
>>> New Zealand
>>>
>>>
> --
> Ben Caradoc-Davies <b...@transient.nz>
> Director
> Transient Software Limited <http://transient.nz/>
> New Zealand
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Reply via email to