[ http://nagoya.apache.org/jira/browse/XERCESC-1309?page=history ]
     
Alberto Massari resolved XERCESC-1309:
--------------------------------------

    Resolution: Won't Fix

I think Xerces is right to consider the setExternalSchemaLocation as a way to 
add the schema location for those XML documents that don't have it. If you have 
security concerns you should instead write your own entity resolver, so that 
you can approve/deny/redirect loading of external documents according to your 
own policy.

Alberto

> schemaLocation declared in instance document overrides validator properties
> ---------------------------------------------------------------------------
>
>          Key: XERCESC-1309
>          URL: http://nagoya.apache.org/jira/browse/XERCESC-1309
>      Project: Xerces-C++
>         Type: Bug
>   Components: Validating Parser (Schema) (Xerces 1.5 or up only)
>     Versions: 2.5.0, 2.6.0
>  Environment: Solaris 2.8, Forte 6.2 patch 5, built from source for both 
> 2.5.0 and 2.6.0
>     Reporter: Jake Pieczonka
>     Priority: Critical

>
> I am writing some code to validate documents against a given schema:
>     parser = new XercesDOMParser;
>     errorHandler = new ValidatorErrorHandler;
>     parser->setErrorHandler(errorHandler);
>     parser->setValidationScheme(XercesDOMParser::Val_Always);
>     parser->setDoNamespaces(true);
>     parser->setDoSchema(true);
>     //parser->setExternalSchemaLocation(schemaLocationWithNS.c_str());
>     parser->setExternalNoNamespaceSchemaLocation(schemaLocation.c_str());
>     parser->cacheGrammarFromParse(true);
> The code should override any schema declarations in the instance document.
> It works as expected when no schema declarations are present, and also 
> correctly overrides any noNameSpaceSchemaLocation declared in the document.
> However, if the document contains a schemaLocation declaration, then the code 
> above fails to override it and the schema is loaded from the location 
> contained in the document.
> Here is a sample declaration:
> <rootElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:schemaLocation="http://exploit.com/schema 
> http://www.exploit.com/schemas/exploitSchema.xsd"/>
> I am flagging this as cricital because of the possible security 
> considerations.  Instance documents should not be able to override the schema 
> location declared by the program, since it then becomes a trivial matter to 
> pass untrusted data to a program which is expecting validated input.
> Note that using the commented-out line above to set the schema location in 
> the program also fails to override the document setting.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to