[jdom-interest] How to disable <!DOCTYPE > parsing

Raffaele Sena raff at aromatic.org
Thu Dec 16 15:07:11 PST 2004


I am pretty sure this is not a specific JDOM problem but I wanted to see 
if any of you has an idea.

I am parsing some XML data using JDOM and SAXBuilder. The data is posted
by a web client to execute some server-side APIs. The format is very
simple so I don't have a DTD or schema for it. Also, I parse the document
with no validation (since I don't have a DTD to validate against).

Somebody, to test our "security holes" came up with the idea of passing a 
<!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know, 
the XML parser, validation or not, tries to access it (so they claim is a 
security hole because they can generate accesses from our server to 
whatever server they put in the DTD URL. Pretty clever actually!)

Again, I think this is a problem with the XML parser I am using. I found 
out that Xalan has a special "feature" to disable DTD parsing (but I 
didn't try because I don't want to use Xalan for this).

First of all, should this happen if validation is disabled ?
If that's out of JDOM control, can anybody think of a way to disable this 
at the XML parser level (maybe subclassing some handler ?)

Thanks!

-- Raffaele
 



More information about the jdom-interest mailing list