Axis2
  1. Axis2
  2. AXIS2-4450

CVE-2010-1632: Message builders for SOAP and XML should not attempt to load DTDs

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.5.2, 1.6.0
    • Component/s: kernel
    • Labels:
      None

      Description

      When Axis2 receives a message with a DOCTYPE declaration referencing a DTD (using a system ID), it will attempt to load that DTD. Since SOAP doesn't allow DTDs, we should not try to load it.

      See also: http://markmail.org/message/e4yiij7lfexastvl

      Note that the described behavior depends on the StAX parser implementation. For more information, see WSCOMMONS-394 (which also describes a potential solution for the present issue).

        Activity

        Hide
        Andreas Veithen added a comment -

        Fixed by r944915 on the trunk.
        Fixed by r952764 on the 1.5 branch.

        Show
        Andreas Veithen added a comment - Fixed by r944915 on the trunk. Fixed by r952764 on the 1.5 branch.

          People

          • Assignee:
            Andreas Veithen
            Reporter:
            Andreas Veithen
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development