Uploaded image for project: 'Daffodil'
  1. Daffodil
  2. DFDL-1422

disallow doctype decls in all XML & XSD that we read in

XMLWordPrintableJSON

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Normal Normal
    • deferred
    • 1.1.0
    • API, Back End, Front End
    • None

      We should be doing this:

      spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)

      and simply rejecting things with doctype decls. This would apply to all the XML we consume be it a DFDL schema, configuration file, or input data for unparsing.

      This is needed because of problems that doctype decls can create where the incoming XML can cause the JVM to crash with out-of-memory-errors (OOME).

      See https://en.wikipedia.org/wiki/Billion_laughs for one vulnerability that this fixes.

              Unassigned Unassigned
              mbeckerle.dfdl Mike Beckerle
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: