[ http://nagoya.apache.org/jira/browse/XERCESC-1309?page=history ] Alberto Massari closed XERCESC-1309: ------------------------------------
Hi Jake, I think we can close this bug now, as you have found the problem in your schema. I will answer your final comment on the mailing list, as they are general issues. Thanks, Alberto > schemaLocation declared in instance document overrides validator properties > --------------------------------------------------------------------------- > > Key: XERCESC-1309 > URL: http://nagoya.apache.org/jira/browse/XERCESC-1309 > Project: Xerces-C++ > Type: Bug > Components: Validating Parser (Schema) (Xerces 1.5 or up only) > Versions: 2.5.0, 2.6.0 > Environment: Solaris 2.8, Forte 6.2 patch 5, built from source for both > 2.5.0 and 2.6.0 > Reporter: Jake Pieczonka > Priority: Critical > > I am writing some code to validate documents against a given schema: > parser = new XercesDOMParser; > errorHandler = new ValidatorErrorHandler; > parser->setErrorHandler(errorHandler); > parser->setValidationScheme(XercesDOMParser::Val_Always); > parser->setDoNamespaces(true); > parser->setDoSchema(true); > //parser->setExternalSchemaLocation(schemaLocationWithNS.c_str()); > parser->setExternalNoNamespaceSchemaLocation(schemaLocation.c_str()); > parser->cacheGrammarFromParse(true); > The code should override any schema declarations in the instance document. > It works as expected when no schema declarations are present, and also > correctly overrides any noNameSpaceSchemaLocation declared in the document. > However, if the document contains a schemaLocation declaration, then the code > above fails to override it and the schema is loaded from the location > contained in the document. > Here is a sample declaration: > <rootElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://exploit.com/schema > http://www.exploit.com/schemas/exploitSchema.xsd"/> > I am flagging this as cricital because of the possible security > considerations. Instance documents should not be able to override the schema > location declared by the program, since it then becomes a trivial matter to > pass untrusted data to a program which is expecting validated input. > Note that using the commented-out line above to set the schema location in > the program also fails to override the document setting. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://nagoya.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
