[XXE] XXE configuration files

Wed Jan 29 10:42:22 2003 

Hello,

in order to alleviate the deployment of configured XXE instances, I tried
to enhance my private .XXE files a little bit.

I inserted a DocType declaration specifying an internal subset in order to
be able to use entity definitions. In the internal subset I defined a
external parameter entity declaration for a file holding general entity
declarations to be used in the body of my .XXE configuration file.

The .XXE file looks like:

    <?xml version='1.0' encoding='ISO-8859-1'?>
    <!DOCTYPE configuration [
        <!ENTITY % my_locations SYSTEM "../base_locations.ent">
        %my_locations;
    ]>
    <configuration name="SomeName"
        ......>

        .........
        <css name="SomeName"
             location="&XML-Resources.local-dir.URL;/CSSs/SomeName.css" />

        <template name="SomeName"
             location="
&XML-Resources.local-dir.URL;/Templates/SomeName.xml" />

            .........
      </configuration>

where the general entity &XML-Resources.local-dir.URL; is defined in a file
named 'base_locations.ent' residing in the parent directory of the present
.XXE configuration file.

The contents of file 'base_locations.ent' look like:


    <!-- Some heading comment -->
    <!ENTITY XML-Resources.local-dir.URL
             "file://localhost/C:/Dir1/Dir2/X-local_XML-Resources">

While the described setup makes up a perfectly valid XML file, XMLmind
(v2.1)
complains on startup with a message like:

    Warning:

    Startup error !

    Invalid configuration file test.xxe
    .........
    .........

and points to the '%my_locations;' line of the configuration file.

Do you consider this behaviour of XMLmind a bug or is usage of internal
DTD subset with definition of external parameter entities beyond the
XMLmind
implementation scope ???

Regards
Jo Kuhm, IBM Lab Boeblingen

P.S.

The following .XXE file works, but that is not what I want, because I have
to
individually change the 'XML-Resources.local-dir.URL' general entity
definition
in every configuration file of my set of configuration files:

    <?xml version='1.0' encoding='ISO-8859-1'?>
    <!DOCTYPE configuration [
        <!ENTITY XML-Resources.local-dir.URL
             "file://localhost/C:/Dir1/Dir2/X-local_XML-Resources">
    ]>
    <configuration name="SomeName"
        ......>

        same as above

      </configuration>

Reply via email to