I politely disagree. This can only be fixed via parser configuration. It makes sense to turn external entities OFF by default since it's rarely used and does a lot of damage by default. Most XML parsers already default to turning this off. It's almost always a good idea to have safe defaults in software when you can.
Note: IBM has a very expensive product •just• to handle this issue - which would be largely unnecessary if Xerces defaulted to turning external entities off by default. With respect, -- Jim Manico @Manicode (808) 652-3805 > On Mar 4, 2015, at 8:23 AM, Michael Glavassevich <[email protected]> wrote: > > "Cantor, Scott" <[email protected]> wrote on 03/04/2015 12:16:03 PM: > >> From: "Cantor, Scott" <[email protected]> >> To: "[email protected]" <[email protected]>, >> Date: 03/04/2015 12:18 PM >> Subject: Re: Hello and XXE >> >> On 3/4/15, 5:08 PM, "Jim Manico" <[email protected]> wrote: >> >> >> >>> With respect, XXE is a massive vulnerability that is turned off by >>> default in Java 8 as well as IBM parsers. Is there any proof or risk >>> model I could provide to convince Xerces to turn this off by default? >> >> +1 >> >> And it's not the only unfixed vulnerability in play (per the note I just > >> sent). > > -1. XXE is not a vulnerability in the parser. It may be a vulnerability > for an application/product, but that is the developer's responsibility to > apply proper configuration to protect themselves in the right context. > >> -- Scott > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: [email protected] > E-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
