Uploaded image for project: 'Daffodil'
  1. Daffodil
  2. DAFFODIL-1422

disallow doctype decls in all XML & XSD that we read in

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.1.0
    • 3.2.0
    • API, Back End, Front End
    • None

    Description

      We should be doing this:

      spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
      

      and simply rejecting things with doctype decls. This would apply to all the XML we consume be it a DFDL schema, configuration file, or input data for unparsing.

      This is needed because of problems that doctype decls can create where the incoming XML can cause the JVM to crash with out-of-memory-errors (OOME).

      See https://en.wikipedia.org/wiki/Billion_laughs for one vulnerability that this fixes.

      Attachments

        Activity

          People

            mbeckerle Mike Beckerle
            mbeckerle Mike Beckerle
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: