On Thu, Jul 9, 2009 at 2:03 PM, Tatu Saloranta <tsaloranta_at_gmail.com> wrote:
> Also: similar option exists with Stax API,
> XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES;
> factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES.
> Boolean.FALSE);
> would do the trick.
>
> Given that you don't necessarily get to choose which parser gets
> instantiated by Jersey, it would make sense to use a more generic
> setting which can then translate to what is needed by specific parser
> being instantiated?
> Plus it definitely would be reasonable to set this when "secure mode"
> is enabled.
I looked into this, and it turns out the StAX parser that's built into the
JDK (SJSXP) is not standards-compliant, and will not only default to not
expanding entities, but will throw an exception if you set that property to
Boolean.TRUE. :) So while not an immediate issue, I suppose it could become
one down the road if the JDK's implementation fixed that problem, and if
Jersey were to change to using StAX for parsing XML by default instead of
SAX.
I'm much more concerned about the immediate vulnerability though.