[
https://issues.apache.org/jira/browse/CXF-7680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16406165#comment-16406165
]
Colm O hEigeartaigh commented on CXF-7680:
------------------------------------------
The wiki does NOT say that the Woodstox parser is insecure:
"The only parser that will currently work is Woodstox 4.2 or newer. The main
reason is there are a series of DOS attacks that can only be prevented at the
StAX parser level. There is a "org.apache.cxf.stax.allowInsecureParser" System
Property that can be set to true to allow using an insecure parser, but that is
HIGHLY not recommended and doing so would also now allow the settings described
in this section."
If you are using Woodstox 4.2 or above then you should be automatically
protected against attacks which sends huge amounts of XML. However it seems by
your example above that you are not protected....could you attach a test-case
to reproduce the problem?
> Restrict the size of SOAP message OR allow only MTOM messages
> -------------------------------------------------------------
>
> Key: CXF-7680
> URL: https://issues.apache.org/jira/browse/CXF-7680
> Project: CXF
> Issue Type: Wish
> Components: JAX-WS Runtime, Soap Binding
> Affects Versions: 3.2.2
> Reporter: Nicholas
> Priority: Critical
> Labels: performance, security
>
> I encountered this problem, but couldn't get any help, although hours of
> searching...
> I am developing B2B web services.
> Service is receiving SOAP request where file attachments are encoded in
> base64 format, application works well, except if one of the client decides to
> send very large XML - possibly 500MB of XML data, at this very point my
> application's java heap size grows exponentially and mostly throw
> OutOfMemoryException. So I decided to use MTOM mechanism to send and receive
> messages with large(or several) attachments, application performs well,
> memory-wise, but there is still another problem, server and client, BOTH need
> to enable MTOM messaging, even if it is enabled on server, client can send it
> still with base64 format and server receives without any worries until
> aformentioned exception is thrown. Anyone can create a HUGE xml message that
> can crash my app in seconds. How can I secure my application from these kind
> of malicious service calls.
> Searched a lot, but couldn't find virtually any reliable solution for this.
> So question/problem/wish is:
> 1) How can I restrict the size of SOAP message (only XML part if MTOM).
> OR
> 2) How can I allow only MTOM messages.
> What I found/explored:
> [http://cxf.apache.org/docs/security.html] in the "Controlling Large Request
> Payloads" section there is written about Woodstox parser which can be used to
> restrict XML message by its character sizes, but also written that it's not
> recommended and it's insecure. Even if this was the solution, how would it
> behave in MTOM message.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
