On Sat, Feb 20, 2010 at 8:31 AM, Phil Griffin <phil.griffin_at_oracle.com> wrote:
> After a bit more debugging, this bit of Jersey code seems to be causing my
> pain...more specifically, pain in the SAXParserFactory I'm using.
>
> I'm not a SAX feature expert, but this snippet from
> com.sun.jersey.core.impl.provider.xml.SAXParserContextProvider doesn't make
> sense to me?
> Since disableXmlSecurity is false by default, the effect of this code is to
> disable "http://xml.org/sax/features/external-general-entities" processing
> in my factory, resulting in the exception I originally reported in this
> thread (which occurs during Jersey-driven processing/parsing of a POST
> request).
This makes sense to me: that feature controls whether external parsed
entities are to be resolved or not. Resolving them is a potential
security risk, since it can result in a URL connection to fetch
contents of the entity. Feature is generally enabled by default, since
that is what xml specification would dictate, so that the document is
completely processed.
Inverted logic is of course bit hard to follow, but I think it is correct.
But whether failure should result in a runtime exception is a good
question. I am surprised that parser does not recognize or support it,
since it is quite a fundamental SAX property as far as I know (and
amongst earliest).
Second feature (specifically for secure processing) is a relative
newcomer, so failure is not that surprising.
-+ Tatu +-