Hi,
we use jersey for our REST-API, all works fine. But we have a "little" security issue with our REST service:
The service is able to consume xml-files (http post). In xml is it possible to set an url in doctype for schema-files. The problem is, that the Application-Server try to download this file. Example:
<!DOCTYPE foo PUBLIC "foo" "
http://foo.bar.intranet/test">
This is a problem for us, cause an external person can now send http-gets to our internal servers, witch are normally not reachable from outside. Or to other external sits like:
<!DOCTYPE bar PUBLIC "bar" "
http://evil-host.example.com/test">
how can we disable die xml-validation or the download of external schema-files?
thx for help!
christian
--