I'm fine with what's being done to address the immediate concern but I should point out that this is far from the end of our troubles on that front.
The fact is that there are many ways one can screw things up, by getting the parser into extremely CPU consuming processing or running out of memory. To really address this someone would need to spend quite some time thinking about all the different "holes". For example, with the DOM it's easy to run out of memory. All it would take is to send a document with one element containing a few Gigas of text... I guess I favor the addition of parameters the application developer could use to set various limits, even though as an application developer I would probably have a hard time figuring out what to set them to... All these limits should be set to infinite by defaults. -- Arnaud Le Hors - IBM, XML Standards Strategy Group / W3C AC Rep. -----Original Message----- From: Ted Leung [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 10:31 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Security Alert - Xerces] The next version of Xerces-J will include a parser feature that will turn off DOCTYPE processing. When activated, this feature will prevent the entity expansion that causes this vulnerability. The Axis team will be able to use this feature to close the hole. The URI for the parser feature will be "http://apache.org/xml/features/disallow-doctype-decl"; Ted ----- Original Message ----- From: "Ben Laurie" <[EMAIL PROTECTED]> To: "Ted Leung" <[EMAIL PROTECTED]> Sent: Wednesday, November 27, 2002 3:37 AM Subject: [Fwd: Security Alert - Xerces] > Here ya go. Please keep security@ copied on any followups... > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html http://www.thebunker.net/ > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
