users@jersey.java.net

[Jersey] Re: how to disable xml validation?

From: gerard davison <gerard.davison_at_oracle.com>
Date: Thu, 12 May 2011 12:35:39 +0100

Christian,

What version of Jersey are you using? I remember sometime last year Paul
Sandoz made all the fixes to stop Jersey resolving external entities
because of this security issue.

http://java.net/jira/browse/JERSEY-323

It seems there is still a problem then,

Gerard

On 09/05/2011 10:40, Tatu Saloranta wrote:
> On Sun, May 8, 2011 at 11:35 PM, Christian Hennig
> <caraboides_at_googlemail.com> wrote:
>> Hi,
>>
>> we use jersey for our REST-API, all works fine. But we have a "little" security issue with our REST service:
>>
>> The service is able to consume xml-files (http post). In xml is it possible to set an url in doctype for schema-files. The problem is, that the Application-Server try to download this file. Example:
>>
>> <!DOCTYPE foo PUBLIC "foo" "http://foo.bar.intranet/test">
>>
>> This is a problem for us, cause an external person can now send http-gets to our internal servers, witch are normally not reachable from outside. Or to other external sits like:
>>
>> <!DOCTYPE bar PUBLIC "bar" "http://evil-host.example.com/test">
>>
>> how can we disable die xml-validation or the download of external schema-files?
>
> This is not related to XML validation, since external DTD subset must
> be loaded and processed by compliant XML parsers, not just for DTD
> validation but to also resolve possible external entities. The only
> case parsers are allowed to skip this is when xml declaration
> indicates that document is a standalone one (standalone="true"),
> although many parsers still load the subset.
>
> The usual workaround is to specify custom entity resolver, which can
> redirect reads from external URL to something else (typically by just
> returning empty String which is valid DTD subset). This works for SAX
> and Stax parsers.
>
> -+ Tatu +- 

-- 
Gerard Davison | Senior Principal Software Engineer | +44 118 924 5095
Oracle JDeveloper Web Service, Spring, Weblogic SCA Tooling Development
Oracle Corporation UK Ltd is a company incorporated in England&  Wales.
Company Reg. No. 1782505.
Reg. office: Oracle Parkway, Thames Valley Park, Reading RG6 1RA.
Blog http://kingsfleet.blogspot.com Twitter kingsfleet
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.