Axis2
  1. Axis2
  2. AXIS2-4450

CVE-2010-1632: Message builders for SOAP and XML should not attempt to load DTDs

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.5.2, 1.6.0
    • Component/s: kernel
    • Labels:
      None

      Description

      When Axis2 receives a message with a DOCTYPE declaration referencing a DTD (using a system ID), it will attempt to load that DTD. Since SOAP doesn't allow DTDs, we should not try to load it.

      See also: http://markmail.org/message/e4yiij7lfexastvl

      Note that the described behavior depends on the StAX parser implementation. For more information, see WSCOMMONS-394 (which also describes a potential solution for the present issue).

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Andreas Veithen
            Reporter:
            Andreas Veithen
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development