[jdom-interest] How to disable <!DOCTYPE > parsing

[Raffaele Sena]

Great! Thanks! (and sorry if I didn't look at the FAQ before ):

-- Raffaele


On Thu, 16 Dec 2004, Jason Hunter wrote:

> http://www.jdom.org/docs/faq.html#a0350
> 
> (I'm quick with the FAQ pointers today.)
> 
> -jh-
> 
> Raffaele Sena wrote:
> 
> > I am pretty sure this is not a specific JDOM problem but I wanted to see 
> > if any of you has an idea.
> > 
> > I am parsing some XML data using JDOM and SAXBuilder. The data is posted
> > by a web client to execute some server-side APIs. The format is very
> > simple so I don't have a DTD or schema for it. Also, I parse the document
> > with no validation (since I don't have a DTD to validate against).
> > 
> > Somebody, to test our "security holes" came up with the idea of passing a 
> > <!DOCTYPE > anyway with an arbitrary URL for the DTD and what do you know, 
> > the XML parser, validation or not, tries to access it (so they claim is a 
> > security hole because they can generate accesses from our server to 
> > whatever server they put in the DTD URL. Pretty clever actually!)
> > 
> > Again, I think this is a problem with the XML parser I am using. I found 
> > out that Xalan has a special "feature" to disable DTD parsing (but I 
> > didn't try because I don't want to use Xalan for this).
> > 
> > First of all, should this happen if validation is disabled ?
> > If that's out of JDOM control, can anybody think of a way to disable this 
> > at the XML parser level (maybe subclassing some handler ?)
> > 
> > Thanks!
> > 
> > -- Raffaele
> >  
> > 
> > _______________________________________________
> > To control your jdom-interest membership:
> > http://www.jdom.org/mailman/options/jdom-interest/youraddr@yourhost.com
> > 
> _______________________________________________
> To control your jdom-interest membership:
> http://www.jdom.org/mailman/options/jdom-interest/youraddr@yourhost.com
> 
> 
> !DSPAM:41c2279e252831915616552!
> 
>