Comments (4)
veita
commented on May 29, 2024
1
The system properties are useful for risk mitigation in legacy applications and third party depencencies where it is often impossible to configure internally used parsers programmatically.
from woodstox.
cowtowncoder
commented on May 29, 2024
@veita yes, true enough. Security aspects may be one area where it is one of lesser evils.
I guess the fundamental root cause realistically is that Stax spec did not specify default for "javax.xml.stream.isReplacingEntityReferences" to be false. But that's difficult to rectify at this point.
from woodstox.
cowtowncoder
commented on May 29, 2024
Note to self: ACCESS_ properties have been added in XMLConstants in Java 7. Given that Woodstox requires only Java 6, this could be problematic if we rely on constants. Except that, I think final static constants may be folded in during compilation... need to verify, but if so, we have to compile on Java 7 (1.7), but Java 6 runtime should still be ok.
from woodstox.
cowtowncoder
commented on May 29, 2024
Also: to make sure, JEP part relevant reads:
JAXP 1.5 adds three new API-level properties to limit external connections to specific, named protocols:
javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD: A list of protocols by which external DTDs and external entity references may be accessed.
javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA: A list of protocols via which external schema references, specified by the schemaLocation attribute of import and include elements, may be resolved.
javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET: A list of protocols via which external references specified in stylesheet constructs such as processing instructions, document() functions, import elements, and include elements may be resolved.
It also adds three corresponding system properties, to provide developers the ability to change the settings without changing code:
javax.xml.accessExternalDTD for ACCESS_EXTERNAL_DTD
javax.xml.accessExternalSchema for ACCESS_EXTERNAL_SCHEMA
javax.xml.accessExternalStylesheet for ACCESS_EXTERNAL_STYLESHEET
Finally, it allows the above properties to be set in the existing configuration file, ${java.home}/lib/jaxp.properties, so as to define the behavior for all invocations of the JDK or JRE. The format of entries in the file is property-name=value, for example:
javax.xml.accessExternalDTD=file,http
and specifically ignores FEATURE_SECURE_PROCESSING, for which I will create separate issue.
from woodstox.
Related Issues (20)
- Cannot build RCP application after update to 6.3.0 HOT 7
- Implementation of XMLStreamReader.getLocation() inconsistent with javadoc HOT 3
- Unlimited recursion for DTD parsing HOT 19
- Switch off XML Structure Validation using java properties HOT 1
- Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] HOT 1
- Add support for XMLConstants.ACCESS_EXTERNAL_DTD HOT 2
- `woodstox-core` 6.3/6.4 javac warning due to unexpected new dependency on `aQute.bnd.annotation.Resolution` HOT 6
- Illegal character entity using XMLStreamReader on value encoded by external service HOT 4
- XMLEvent.asCharacters() throws a cast error on Kotlin HOT 2
- README links https://www.studytrails.com are problematic HOT 2
- support setting ReaderConfig on WstxInputFactory HOT 2
- Scan Tool reporting Improper Restriction of XML External Entity Reference CWE ID 611 vulnerability flaw (XXE Attack) HOT 3
- After update to 6.5.0, in osgi/felix runtime the bundle is not started due to missing dependency HOT 4
- failed to parse xml: Unrecognized property `'com.ctc.wstx.maxEntityCount'` in `woodstox:6.5` HOT 2
- Vulnerability CVE-2023-34411 HOT 3
- W3CMultiSchemaFactory class needs extended to allow for custom resolving of XSD's locations HOT 2
- Woodstox should provide option to leave predefined entities i.e. "<", ">", "'", """ and "&" as it is HOT 2
- Not able to write xml to azure blob storage HOT 1
- WstxValidationException: Unknown reason (at end element </nl:nillableIntElement>) when validating a document with nillable elements HOT 14
- Update `msv-core` dependency to `2022.7`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from woodstox.