On Fri, Jan 21, 2011 at 08:59, Miyuru Wanninayaka <[email protected]> wrote: > Hi all, > > I'm trying to process XML response from a POX service which return XML > response with DOCTYPE declarations and it fails with > "javax.xml.stream.XMLStreamException: DOCTYPE is not allowed exception". > Reason for this is DisallowDoctypeDeclStreamReaderWrapper throws a > XMLStreamException when DTD element found. I think this is done to fix > security vlunarability CVE-2010-1632. > > AFIK setting javax.xml.stream.supportDTD property to false in axiom will > prevent DTD processing and does not require to throw a exception when DTD > found.
It's much more complicated than that. javax.xml.stream.supportDTD=false will disable processing of the external DTD subset, but the internal DTD subset will still be read (at least, that is the behavior in Woodstox). Section 5.3 of the CVE-2010-1632 security advisory contains an example of how this can be exploited to carry out a denial of service attack. I don't think that there is any way to configure Woodstox such that it tolerates messages with DOCTYPE declarations without being vulnerable to at least one of the exploits described in CVE-2010-1632. > -- > Thanks, > Miyuru Wanninayaka > Software Engineer - WSO2 Inc. > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
