[jdom-interest] How to disable <!DOCTYPE > parsing
Jason Hunter
jhunter at xquery.com
Thu Dec 16 16:45:17 PST 2004
http://www.jdom.org/docs/faq.html#a0350
(I'm quick with the FAQ pointers today.)
-jh-
Raffaele Sena wrote:
> I am pretty sure this is not a specific JDOM problem but I wanted to see
> if any of you has an idea.
>
> I am parsing some XML data using JDOM and SAXBuilder. The data is posted
> by a web client to execute some server-side APIs. The format is very
> simple so I don't have a DTD or schema for it. Also, I parse the document
> with no validation (since I don't have a DTD to validate against).
>
> Somebody, to test our "security holes" came up with the idea of passing a
> <!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know,
> the XML parser, validation or not, tries to access it (so they claim is a
> security hole because they can generate accesses from our server to
> whatever server they put in the DTD URL. Pretty clever actually!)
>
> Again, I think this is a problem with the XML parser I am using. I found
> out that Xalan has a special "feature" to disable DTD parsing (but I
> didn't try because I don't want to use Xalan for this).
>
> First of all, should this happen if validation is disabled ?
> If that's out of JDOM control, can anybody think of a way to disable this
> at the XML parser level (maybe subclassing some handler ?)
>
> Thanks!
>
> -- Raffaele
>
>
> _______________________________________________
> To control your jdom-interest membership:
> http://www.jdom.org/mailman/options/jdom-interest/youraddr@yourhost.com
>
More information about the jdom-interest
mailing list