Skip to content
Snippets Groups Projects
Select Git revision
  • xerces-3.2
  • master default protected
  • xerces-3.2.2
  • xerces-3.2.1
  • xerces-3.2.0
  • xerces-3.1
  • xerces-3.1.4
  • xerces-3.1.3
  • xerces-3.1.2
  • xerces-2
  • xerces-3.1.1
  • xerces-3.1.0
  • xerces-3.0
  • xerces-3.0.1
  • xerces-2.8
  • xerces-3.0.0
  • xerces-2.8.0
  • xerces-2.7
  • xerces-2.7.0
  • xerces-2.6.0
  • v3.2.4
  • v3.2.4rc1
  • v3.2.3
  • v1.0.0
  • v1.0.1
  • v1.1.0
  • v1.2.0
  • v1.4.0
  • v1.5.0
  • v1.5.1
  • v1.5.2
  • v1.6.0
  • v1.7.0
  • v2.0.0
  • v2.1.0
  • v2.2.0
  • v2.3.0
  • v2.4.0
  • v2.5.0
  • v2.6.0
40 results
Search by author
  • Any Author
0 authors
  1. Apr 27, 2003
  3. Apr 25, 2003
  5. Apr 24, 2003
  7. Apr 22, 2003
  9. Apr 21, 2003
  11. Apr 17, 2003
    • Neil Graham's avatar
      This commit implements detection of exponential entity · 9daf99e4
      Neil Graham authored 
      expansions inside the scanner code.  This is only done when a
security manager instance has been registered with the parser by
the application.  The default number of entities which may be
expanded is 50000; this appears to work very well for SAX, but DOM
parsing applications may wish to set this limit considerably lower.


git-svn-id: https://svn.apache.org/repos/asf/xerces/c/trunk@174905 13f79535-47bb-0310-9956-ffa450edef68
      9daf99e4
    • Neil Graham's avatar
      Adding a new property, · 99759a8d
      Neil Graham authored 
      http://apache.org/xml/properties/security-manager, with
appropriate getSecurityManager/setSecurityManager methods on DOM
and SAX parsers.  Also adding a new SecurityManager class.

The purpose of these modifications is to permit applications a
means to have the parser reject documents whose processing would
otherwise consume large amounts of system resources.  Malicious
use of such documents could be used to launch a denial-of-service
attack against a system running the parser.  Initially, the
SecurityManager only knows about attacks that can result from
exponential entity expansion; this is the only known attack that
involves processing a single XML document.  Other, simlar attacks
can be launched if arbitrary schemas may be parsed; there already
exist means (via use of the EntityResolver interface) by which
applications can deny processing of untrusted schemas.  In future,
the SecurityManager will be expanded to take these other exploits
into account.


git-svn-id: https://svn.apache.org/repos/asf/xerces/c/trunk@174904 13f79535-47bb-0310-9956-ffa450edef68
      99759a8d
  13. Apr 15, 2003
  15. Apr 14, 2003
  17. Apr 09, 2003
  19. Apr 07, 2003
  21. Apr 04, 2003
  23. Apr 03, 2003
  25. Apr 02, 2003