Thanks, John. I'll follow your suggestion.
On Wed, Feb 3, 2010 at 5:38 PM, John Wilson <t...@wilson.co.uk> wrote: > > On 3 Feb 2010, at 12:43, Jochen Wiedmann wrote: > >> Hi, Johan, >> >> lets distinguish between two different questions: >> >> - Whether there is a security issue. If so, this is of course of >> general interest and ought to be fixed immediately. >> >> I can imagine that you include an external entity into the clients >> message. I can also imagine that this adds a local files contents to >> the request. However, I have difficulties to understand why this >> should become a part of the response? Is this specific to your >> application? >> >> - Whether and how you'd like to access the SAX parser. >> >> Give me a few days to think about this. >> > > I believe Johan is quite right about this being a security issue. It's not a > new issue, it was raised on XML-DEV many years ago as a generic security > problem with XML parsers. > > It was an issue when Apache XML-RPC was still Helma XML-RPC and was (I think) > one of the reasons for standardising on MinML as the default parser (as that > does not allow DTDs). It's also one of the reasons why SOAP doesn't allow > DTDs. > > My own view is that both these features should be set false by default. > > > John Wilson -- Germanys national anthem is the most boring in the world - how telling!
