1000 Java Tips ebook
Free "1000 Java Tips" eBook is here! It is huge collection of big and small Java
programming articles and tips. Please take your copy here.
Take your copy of free "Java Technology Screensaver"!.
If your system does take in external XML data this security tip is for you!
JavaFAQ Home » Good To Know
Good to know:
If your system does take in external XML data this
security tip is for you!
While XML does not allow recursive entity
definitions, it does permit nested entity definitions, which produces the
potential for Denial of Service attacks on a server which accepts XML data from
external sources. For example, a SOAP document like the following that has
extremely deeply nested entity definitions can consume 100% of CPU time and a
lot of memory in entity expansions.
A system that doesn't take in external
XML data need not be concerned with issue, but one that does can utilize one of
the following safeguards to prevent the problem:
<?xml version="1.0" encoding ="UTF-8"?><br>
<!ENTITY x100 "foobar"><br>
<!ENTITY x99 "&x100;&x100;"><br>
<!ENTITY x98 "&x99;&x99;"><br>
<!ENTITY x2 "&x3;&x3;"><br>
<!ENTITY x1 "&x2;&x2;"><br>
<ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."><br>
<p><font face="MS Sans Serif" size="2">
New system property to limit entity expansion
The entityExpansionLimit system property lets existing applications constrain
the total number of entity expansions without recompiling the code. The parser
throws a fatal error once it has reached the entity expansion limit. (By
default, no limit is set, because such a constraint would make the XML parser
incompatible with the XML 1.0 specification.)
To set the entity expansion limit using
the system property, use an option like the following on the java command line:
New parser property to disallow DTDs
The application can also set the
http://apache.org/xml/features/disallow-doctype-decl parser property to true. A
fatal error is then thrown if the incoming XML document contains a DOCTYPE
declaration. (The default value for this property is false.) This property is
typically useful for SOAP based applications where a SOAP message must not
contain a Document Type Declaration.
This tip is based on:
Printer Friendly Page
Send to a Friend
Search here again if you need more info!