+1. This is what I was after before, but Arnaud has stated it much more clearly.
Ted ----- Original Message ----- From: "Arnaud Le Hors" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 03, 2002 9:18 AM Subject: RE: Security Alert - Xerces] > I'm fine with what's being done to address the immediate concern but I > should point out that this is far from the end of our troubles on that > front. > > The fact is that there are many ways one can screw things up, by getting the > parser into extremely CPU consuming processing or running out of memory. > To really address this someone would need to spend quite some time thinking > about all the different "holes". > > For example, with the DOM it's easy to run out of memory. All it would take > is to send a document with one element containing a few Gigas of text... > > I guess I favor the addition of parameters the application developer could > use to set various limits, even though as an application developer I would > probably have a hard time figuring out what to set them to... All these > limits should be set to infinite by defaults. > -- > Arnaud Le Hors - IBM, XML Standards Strategy Group / W3C AC Rep. > > > -----Original Message----- > From: Ted Leung [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 10:31 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Security Alert - Xerces] > > > The next version of Xerces-J will include a parser feature that will > turn off DOCTYPE processing. When activated, this feature will > prevent the entity expansion that causes this vulnerability. The Axis > team will be able to use this feature to close the hole. > > The URI for the parser feature will be > "http://apache.org/xml/features/disallow-doctype-decl"; > > Ted > ----- Original Message ----- > From: "Ben Laurie" <[EMAIL PROTECTED]> > To: "Ted Leung" <[EMAIL PROTECTED]> > Sent: Wednesday, November 27, 2002 3:37 AM > Subject: [Fwd: Security Alert - Xerces] > > > > Here ya go. Please keep security@ copied on any followups... > > > > Cheers, > > > > Ben. > > > > -- > > http://www.apache-ssl.org/ben.html http://www.thebunker.net/ > > > > "There is no limit to what a man can do or how far he can go if he > > doesn't mind who gets the credit." - Robert Woodruff > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
