On Sun, May 8, 2011 at 11:35 PM, Christian Hennig
<caraboides_at_googlemail.com> wrote:
> Hi,
>
> we use jersey for our REST-API, all works fine. But we have a "little" security issue with our REST service:
>
> The service is able to consume xml-files (http post). In xml is it possible to set an url in doctype for schema-files. The problem is, that the Application-Server try to download this file. Example:
>
> <!DOCTYPE foo PUBLIC "foo" "http://foo.bar.intranet/test">
>
> This is a problem for us, cause an external person can now send http-gets to our internal servers, witch are normally not reachable from outside. Or to other external sits like:
>
> <!DOCTYPE bar PUBLIC "bar" "http://evil-host.example.com/test">
>
> how can we disable die xml-validation or the download of external schema-files?
This is not related to XML validation, since external DTD subset must
be loaded and processed by compliant XML parsers, not just for DTD
validation but to also resolve possible external entities. The only
case parsers are allowed to skip this is when xml declaration
indicates that document is a standalone one (standalone="true"),
although many parsers still load the subset.
The usual workaround is to specify custom entity resolver, which can
redirect reads from external URL to something else (typically by just
returning empty String which is valid DTD subset). This works for SAX
and Stax parsers.
-+ Tatu +-