[JDEV] XML Requirements for Parsing Jabber Messages
Charles Miller
cmiller at pastiche.org
Sat Nov 2 22:00:02 CST 2002
Matthew A. Miller propagated the following meme:
> * External entity references[2]
One thing to note, a recent bugtraq posting[1] pointed at a long-standing
security issue with XML parsers and external entity references. For
example, <!ENTITY foo SYSTEM "file:///dev/random"> could be an effective
DOS against a fully compliant parser.
Thus if you're using an off-the-shelf XML parser, it's a good idea to
filter out things you're not expecting (such as DTD declarations) before
they hit the parser.
Charles Miller
[1] http://online.securityfocus.com/archive/1/297714/2002-10-24/2002-10-30/2
More information about the JDev
mailing list