Hi Ted and all,
In the forked copy of Xerces that we maintain (a.k.a. XML4J :) ), we're
planning to solve this as follows: add a feature called
http://apache.org/xml/features/disallow-doctype-decl
which, when true, will cause the parser to emit a fatalError upon detection
of a DOCTYPE. Obviously, this is wholly incompatible with XML 1.0, and it
goes without saying it'll be false by default. But, as SOAP's a pretty
important spec--and is not the only spec that disallows a DOCTYPE property
in the infoset of conforming documents (the WSDL 1.2 WD does as well, IIRC)
--this kind of feature would seem to have at least some general utility,
aside from providing a workaround for this particular bug.
What do people think about this? Providing functionality--even disabled by
default--that's so clearly contrary to the spirit of XML is not something
we should do lightly; but perhaps in this instance it's not unreasonable.
All comments welcome!
Cheers,
Neil
Neil Graham
XML Parser Development
IBM Toronto Lab
Phone: 905-413-3519, T/L 969-3519
E-mail: [EMAIL PROTECTED]
|---------+---------------------------->
| | "Ted Leung" |
| | <[EMAIL PROTECTED]|
| | om> |
| | |
| | 11/27/2002 02:28 |
| | PM |
| | Please respond to|
| | xerces-j-dev |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: <[EMAIL PROTECTED]>
|
| cc: <[EMAIL PROTECTED]>
|
| Subject: Fw: Security Alert - Xerces]
|
|
|
|
|
>---------------------------------------------------------------------------------------------------------------------------------------------|
Okay, It looks like Sanctum has decided that Xerces is the problem, and
they are going to issue a security
alert against us. Other than Sanjiva's suggetsion of a flag to turn off
internal (or probably all) entity expansion,
does anyone have any other ideas of how to fix this?
Ted
----- Original Message -----
From: "Ben Laurie" <[EMAIL PROTECTED]>
To: "Ted Leung" <[EMAIL PROTECTED]>
Sent: Wednesday, November 27, 2002 3:37 AM
Subject: [Fwd: Security Alert - Xerces]
> Here ya go. Please keep security@ copied on any followups...
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>
X-Sieve: cmu-sieve 2.0
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from mailgate.algroup.co.uk (localhost [127.0.0.1]) by
scuzzy.ben.algroup.co.uk (Postfix) with SMTP id 6DA5D8B87D for
<[EMAIL PROTECTED]>; Thu, 14 Nov 2002 19:17:53 +0000 (GMT)
Received: (qmail 23867 invoked by uid 1019); 14 Nov 2002 19:17:53 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 23863 invoked by uid 1015); 14 Nov 2002 19:17:53 -0000
Received: from [EMAIL PROTECTED] by
zhora.inv.thebunker.net by uid 1015 with qmail-scanner-1.14 ( Clear:.
Processed in 0.056984 secs); 14 Nov 2002 19:17:53 -0000
Received: from daedalus.apache.org (HELO apache.org) (63.251.56.142) by
mailgate.algroup.co.uk with SMTP; 14 Nov 2002 19:17:52 -0000
Received: (qmail 24291 invoked by uid 500); 14 Nov 2002 19:17:46 -0000
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
list-help: <mailto:[EMAIL PROTECTED]>
list-unsubscribe: <mailto:[EMAIL PROTECTED]>
list-post: <mailto:[EMAIL PROTECTED]>
Delivered-To: mailing list [EMAIL PROTECTED]
Received: (qmail 24278 invoked from network); 14 Nov 2002 19:17:46 -0000
Received: from unknown (HELO iris.sanctuminc.com) (206.135.172.110) by
daedalus.apache.org with SMTP; 14 Nov 2002 19:17:46 -0000
Received: by IRIS with Internet Mail Service (5.5.2650.21) id <WW3B980Y>;
Thu, 14 Nov 2002 11:10:29 -0800
Message-ID: <F4158E9E43A9D511BE1100065B043249EFA08F@perfectopdc>
From: Amit Klein <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Cc: Ory Segal <[EMAIL PROTECTED]>
Subject: Security Alert - Xerces
Date: Thu, 14 Nov 2002 11:15:23 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/mixed; boundary="
----_=_NextPart_000_01C28C11.7EA773D2"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Sender: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-0.7 required=5.0
tests=DEAR_EMAIL,EXCHANGE_SERVER,PTS2,SPAM_PHRASE_01_02 version=2.42
X-Spam-Level:
Dear [EMAIL PROTECTED],
During a recent security audit at one of our customers, Sanctum found a
security vulnerability in your product Xerces.
The details of this vulnerability are described in the attached text file.
We intend to issue a public advisory on BugTraq, SecuriTeam and other site
forums about this vulnerability the last week of November. Please note,
the
advisory will not contain specifics that might enable someone to exploit
the
vulnerability.
We would appreciate it if you could issue a patch in that timeline (i.e.
around November 25th), so it can be linked to our advisory.
Please feel free to contact me for more information/help.
Thanks,
-Amit
<<XML_DTD_Xerces.txt>>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
#### XML_DTD_Xerces.txt has been removed from this note on November 27 2002
by Neil Graham
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
