[xsd-users] XercesC security problems
Vladimir Zykov
vladimir.zykov at ncloudtech.ru
Tue Sep 8 10:46:26 EDT 2015
Hi Boris,
We've encountered one nasty security problem with the way how we use XSD. In general the problem is not in XSD. It's in Xerces-C++ but since XSD wraps it we need some way to configure XercesC in runtime through XSD. The problem is known and described here https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing<https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>
Before investigating/trying to fix it on our own I wanted to ask you if XSD already provides a way to disable external entity resolving in XercesC.
Actually we want to completely disable entity processing even if we'll not be able to parse some XML instances as there is the other related problem described here http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion and which we potentially may hit.
Thanks,
Vladimir Zykov
Software Engineer
New Cloud Technologies, Ltd
More information about the xsd-users
mailing list