cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java

Discussion:

s***@apache.org

2005-06-24 22:55:57 UTC

snichol 2005/06/24 15:55:57

Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
Log:
Default expandEntityReferences to true.

Revision Changes Path
1.12 +2 -2 ws-soap/java/src/org/apache/soap/util/xml/XMLParserUtils.java

Index: XMLParserUtils.java
===================================================================
RCS file: /home/cvs/ws-soap/java/src/org/apache/soap/util/xml/XMLParserUtils.java,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- XMLParserUtils.java 7 Apr 2004 20:51:40 -0000 1.11
+++ XMLParserUtils.java 24 Jun 2005 22:55:57 -0000 1.12
@@ -47,7 +47,7 @@

static {
// Create a default instance.
- refreshDocumentBuilderFactory(null, true, false, false);
+ refreshDocumentBuilderFactory(null, true, false, true);
}

/**
@@ -77,7 +77,7 @@
refreshDocumentBuilderFactory(factoryClassName,
namespaceAware,
validating,
- validating);
+ true);
}

/**

WJCarpenter

2005-06-25 19:00:02 UTC

Permalink

sn> Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
sn> Log: Default expandEntityReferences to true.

Wasn't that changed to false a while back to thwart DOS stuff in
malicious XML or something? (I might be misremembering this from some
other context.)

--
bill-***@carpenter.ORG (WJCarpenter) PGP 0x91865119
38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3

Scott Nichol

2005-06-26 02:38:32 UTC

Permalink

Yes, it was, but the unfortunate side effect is that entities like < and " are ignored rather than expanded, which breaks any calls where such entities appear in character data.

Scott Nichol

Do not send e-mail directly to this e-mail address,
because it is filtered to accept only mail from
specific mail lists.
----- Original Message -----
From: "WJCarpenter" <bill-***@carpenter.ORG>
To: <soap-***@ws.apache.org>
Sent: Saturday, June 25, 2005 3:00 PM
Subject: RE: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java

Post by WJCarpenter
sn> Modified: java/src/org/apache/soap/util/xml XMLParserUtils.java
sn> Log: Default expandEntityReferences to true.
Wasn't that changed to false a while back to thwart DOS stuff in
malicious XML or something? (I might be misremembering this from some
other context.)
--
38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3

Scott Nichol

2005-06-26 21:21:32 UTC

Permalink

This does not mean I am punting. I am changing this for now, but will try to come up with better code that protects against DOS *and* correctly expands common entities.

Scott Nichol

Do not send e-mail directly to this e-mail address,
because it is filtered to accept only mail from
specific mail lists.
----- Original Message -----
From: "Scott Nichol" <***@scottnichol.com>
To: <soap-***@ws.apache.org>
Sent: Saturday, June 25, 2005 10:38 PM
Subject: Re: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java

Yes, it was, but the unfortunate side effect is that entities like < and " are ignored rather than expanded, which breaks any calls where such entities appear in character data.

Scott Nichol

Do not send e-mail directly to this e-mail address,
because it is filtered to accept only mail from
specific mail lists.
----- Original Message -----
From: "WJCarpenter" <bill-***@carpenter.ORG>
To: <soap-***@ws.apache.org>
Sent: Saturday, June 25, 2005 3:00 PM
Subject: RE: cvs commit: ws-soap/java/src/org/apache/soap/util/xml XMLParserUtils.java