Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-4450

CVE-2010-1632: Message builders for SOAP and XML should not attempt to load DTDs

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.5.2, 1.6.0
    • kernel
    • None

    Description

      When Axis2 receives a message with a DOCTYPE declaration referencing a DTD (using a system ID), it will attempt to load that DTD. Since SOAP doesn't allow DTDs, we should not try to load it.

      See also: http://markmail.org/message/e4yiij7lfexastvl

      Note that the described behavior depends on the StAX parser implementation. For more information, see WSCOMMONS-394 (which also describes a potential solution for the present issue).

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            veithen Andreas Veithen
            veithen Andreas Veithen
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment