On 3 Feb 2010, at 12:43, Jochen Wiedmann wrote: > Hi, Johan, > > lets distinguish between two different questions: > > - Whether there is a security issue. If so, this is of course of > general interest and ought to be fixed immediately. > > I can imagine that you include an external entity into the clients > message. I can also imagine that this adds a local files contents to > the request. However, I have difficulties to understand why this > should become a part of the response? Is this specific to your > application? > > - Whether and how you'd like to access the SAX parser. > > Give me a few days to think about this. >
I believe Johan is quite right about this being a security issue. It's not a new issue, it was raised on XML-DEV many years ago as a generic security problem with XML parsers. It was an issue when Apache XML-RPC was still Helma XML-RPC and was (I think) one of the reasons for standardising on MinML as the default parser (as that does not allow DTDs). It's also one of the reasons why SOAP doesn't allow DTDs. My own view is that both these features should be set false by default. John Wilson
