>From the point of view of Axiom, it is already configurable: the behavior is specified by a StAXParserConfiguration object that is passed to the relevant methods in StAXUtils and OMXMLBuilderFactory. I have no objections to make this configurable at the Axis2 level, provided that the default configuration is secure.
Andreas On Mon, Jan 24, 2011 at 08:44, Hiranya Jayathilaka <[email protected]> wrote: > Hi Andreas, > Can we make this configurable? Current behavior is causing some issues in > Synapse front. Sometimes users mediate HTML files through Synapse and most > HTML documents contain DTD declarations. Can we introduce a property in > Axiom to not throw an exception when a DTD is encountered? We can write a > custom message builder for Synapse, but before we do that we want to know > what Axiom/Axis2 folks think about this. > Thanks, > Hiranya > > On Sat, Jan 22, 2011 at 6:02 PM, Andreas Veithen <[email protected]> > wrote: >> >> Since message builders are configurable, a user already has the option >> to replace ApplicationXMLBuilder by an alternative (and insecure!) >> implementation. >> >> Andreas >> >> On Sat, Jan 22, 2011 at 08:30, Supun Kamburugamuva <[email protected]> >> wrote: >> > If this is handled at the Axiom layer why are we throwing this >> > exception? Shouldn't we let the user control this behavior, without >> > always throwing an exception? >> > >> > Thanks, >> > Supun.. >> > >> > On Fri, Jan 21, 2011 at 1:29 PM, Miyuru Wanninayaka <[email protected]> >> > wrote: >> >> Hi all, >> >> >> >> I'm trying to process XML response from a POX service which return XML >> >> response with DOCTYPE declarations and it fails with >> >> "javax.xml.stream.XMLStreamException: DOCTYPE is not allowed >> >> exception". >> >> Reason for this is DisallowDoctypeDeclStreamReaderWrapper throws a >> >> XMLStreamException when DTD element found. I think this is done to fix >> >> security vlunarability CVE-2010-1632. >> >> >> >> AFIK setting javax.xml.stream.supportDTD property to false in axiom >> >> will >> >> prevent DTD processing and does not require to throw a exception when >> >> DTD >> >> found. >> >> >> >> -- >> >> Thanks, >> >> Miyuru Wanninayaka >> >> Software Engineer - WSO2 Inc. >> >> >> > >> > >> > >> > -- >> > Technical Lead, WSO2 Inc >> > http://wso2.org >> > supunk.blogspot.com >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > > -- > Hiranya Jayathilaka > Senior Software Engineer; > WSO2 Inc.; http://wso2.org > E-mail: [email protected]; Mobile: +94 77 633 3491 > Blog: http://techfeast-hiranya.blogspot.com > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
