[xsd-users] XercesC security problems
Boris Kolpackov
boris at codesynthesis.com
Thu Sep 10 06:27:57 EDT 2015
Hi Vladimir,
Vladimir Zykov <vladimir.zykov at ncloudtech.ru> writes:
> Before investigating/trying to fix it on our own I wanted to ask you
> if XSD already provides a way to disable external entity resolving
> in XercesC.
No, XSD doesn't have built-in support for this. And it is surprisingly
hard to achieve in Xerces-C++. It has a security manager that can be
used to limit the number of entity expansions. So one would think it
is a simple matter of setting this limit to 0. But, no, Xerces-C++
first expands the entity and then checks the limit. Brilliant!
In any case, I've decided to create an example that demonstrates
how this can be done. In a nutshell, we have to provide a customized
DOM parser that intercepts attempts to parse DOCTYPEs that contains
either internal or external DTD subset. It still accepts simple
DOCTYPE declarations, though. It is not exactly what you asked for
(i.e., ignoring external entity expansions), but I think this is
the best we can do in Xerces-C++. I think we might be able to
ignore the external subset via the EntityResolver.
The example archive is here:
http://codesynthesis.com/~boris/tmp/xsd/secure.tar.gz
See the README file to get started.
Boris
More information about the xsd-users
mailing list