"Benjamin Kolin" <[EMAIL PROTECTED]> wrote on 05/03/2004 05:22:41 PM:
> SecurityManager sounds like a great solution but I have a few questions
> about it:
>
> 1. Are the limits per-document or per-parser? If per-parser, is there a
> reset mechanism?
The entity expansion limit is per-document. When a SecurityManager is registered with the parser, it limits the number of entity expansions permitted in a document. A fatal error is emitted if the limit is exceeded.
> 2. If the limits are per-document, is this a multi-thread safe object or
> should one be created for each parser?
SecurityManager [1] (see the source) is a fairly simple container for security settings. As long as you're not writing to it while other parsers are using it, you'll get predictable results.
[1] http://cvs.apache.org/viewcvs.cgi/xml-xerces/java/src/org/apache/xerces/util/SecurityManager.java?rev=1.5&view=markup
> Thanks.
>
> -Ben
>
> -----Original Message-----
> From: Neil Delima [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 03, 2004 11:04 AM
> To: [EMAIL PROTECTED]
> Subject: RE: DTD being resolved using non-validating parser?
>
>
> "Benjamin Kolin" <[EMAIL PROTECTED]> wrote on 05/03/2004 01:50:35
> PM:
>
> > Followup question - what is considered the best method to defend
> > against extity expansion DOS attacks? Specifically I am concerned
> > about the internal DTD because the features you mentioned already give
>
> > me control over the external DTD. It would be acceptable to me to
> > ignore the internal DTD altogether. Thanks.
>
> See the property: http://apache.org/xml/properties/security-manager [1]
>
> [1] http://xml.apache.org/xerces2-j/properties.html
> [2]
> http://xml.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/
> SecurityManager.html
> [3] http://xml.apache.org/xerces2-j/faq-write.html#faq-2
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: [EMAIL PROTECTED]
E-mail: [EMAIL PROTECTED]
- DTD being resolved using non-validating parser? Greg Hess
- Re: DTD being resolved using non-validating pars... Andy Clark
- Re: DTD being resolved using non-validating ... Joseph Kesselman
- Re: DTD being resolved using non-validat... Michael Glavassevich
- RE: DTD being resolved using non-validating pars... Benjamin Kolin
- RE: DTD being resolved using non-validating ... Neil Delima
- RE: DTD being resolved using non-validat... Michael Glavassevich
- RE: DTD being resolved using non-validating pars... Benjamin Kolin
- RE: DTD being resolved using non-validating ... Michael Glavassevich
