Bug#540862: reassign
brian m. carlson
sandals at crustytoothpaste.net
Fri Feb 4 21:57:32 UTC 2011
On Tue, Aug 11, 2009 at 12:04:00PM -0400, Michael S. Gilbert wrote:
> reassign 540862 libxerces2-java
> thanks
>
> this appears to be a flaw in the xerces xml parser. see previous
> discussion and pdf.
I don't see what you expect Xerces to do here. Since Xerces is not
usable in a standalone format with Tomcat (you have to create a servlet
that specifically calls Xerces), there's really nothing that Xerces can
do. The ability to read entities from the local network may in fact be
very useful if the data being parsed are under the server's (i.e., not
an attacker's) control.
This is a specific case of sanitizing your input data. A servlet
parsing untrusted XML probably should use more defensive settings, but
that is hardly a bug in Xerces. AFAICT, all Java XML parsers read DTDs
(both internal and external) by default; this has both good and bad
aspects, but it is not a security bug. To call it one would be blaming
a shared library for resolving external references when the
network-facing daemon has failed to instruct it otherwise.
NB: I am not the maintainer, but I do use both Xerces and Tomcat.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20110204/6ac01de3/attachment-0001.pgp>
More information about the pkg-java-maintainers
mailing list