Arnaud wrote:
> I'm fine with what's being done to address the immediate concern but I
> should point out that this is far from the end of our troubles on that
> front.
>
> The fact is that there are many ways one can screw things up, by getting the
> parser into extremely CPU consuming processing or running out of memory.
> To really address this someone would need to spend quite some time thinking
> about all the different "holes".
>
> For example, with the DOM it's easy to run out of memory. All it would take
> is to send a document with one element containing a few Gigas of text...
>
> I guess I favor the addition of parameters the application developer could
> use to set various limits,
+1.
Neeraj
ps: I have pasted the mail i sent yesterday.
Lets take a broader view of the problem. Problem still remains for many
applications that will be using Xerces2. If for a moment we take our eyes off
from SOAP/WSDL scenario (those applications know in advance that messages
containing DOCTYPE declarations should be rejected straightway), any server side
application based on Xerces2 that recieves such XML document will have problem.
There are many such applications which are based on XML 1.0 and happliy
accept XML document having an internal-dtd-subset. Rejecting XML document
containing DOCTYPE declarations is NOT a solution for such applications.
So to me, Joe's suggestion of keeping check on the number of entity
expansions seems useful. I have heard that SGML originally had a wide variety of
processing limits that could be defined in the SGML declaration. Since such
things are not defined in XML1.0, by default their shouldn't be any limit.
But for the applications who do care for such things can set it to their
desired limit. Say an application running on particular server can decide the
limit of the number as per its configuration.
> Arnaud Le Hors - IBM, XML Standards Strategy Group / W3C AC Rep.
>
>
> -----Original Message-----
> From: Ted Leung [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 03, 2002 10:31 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Security Alert - Xerces]
>
>
> The next version of Xerces-J will include a parser feature that will
> turn off DOCTYPE processing. When activated, this feature will
> prevent the entity expansion that causes this vulnerability. The Axis
> team will be able to use this feature to close the hole.
>
> The URI for the parser feature will be
> "http://apache.org/xml/features/disallow-doctype-decl";
>
> Ted
> ----- Original Message -----
> From: "Ben Laurie" <[EMAIL PROTECTED]>
> To: "Ted Leung" <[EMAIL PROTECTED]>
> Sent: Wednesday, November 27, 2002 3:37 AM
> Subject: [Fwd: Security Alert - Xerces]
>
>
> > Here ya go. Please keep security@ copied on any followups...
> >
> > Cheers,
> >
> > Ben.
> >
> > --
> > http://www.apache-ssl.org/ben.html http://www.thebunker.net/
> >
> > "There is no limit to what a man can do or how far he can go if he
> > doesn't mind who gets the credit." - Robert Woodruff
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
-- Neeraj
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
