Easy to Learn Java: Programming Articles, Examples and Tips

Start with Java in a few days with Java Lessons or Lectures

Home

Code Examples

Java Tools

More Java Tools!

Java Forum

All Java Tips

Books

Submit News
Search the site here...
Search...
 
Search the JavaFAQ.nu
1000 Java Tips ebook

1000 Java Tips - Click here for the high resolution copy!1000 Java Tips - Click here for the high resolution copy!

Java Screensaver, take it here

Free "1000 Java Tips" eBook is here! It is huge collection of big and small Java programming articles and tips. Please take your copy here.

Take your copy of free "Java Technology Screensaver"!.

If your system does take in external XML data this security tip is for you!

JavaFAQ Home » Good To Know Go to all tips in Good To Know


Bookmark and Share

Good to know: If your system does take in external XML data this security tip is for you!

While XML does not allow recursive entity definitions, it does permit nested entity definitions, which produces the potential for Denial of Service attacks on a server which accepts XML data from external sources. For example, a SOAP document like the following that has extremely deeply nested entity definitions can consume 100% of CPU time and a lot of memory in entity expansions.

Code:

<?xml version="1.0" encoding ="UTF-8"?><br>
<!DOCTYPE foobar[<br>
<!ENTITY x100 "foobar"><br>
<!ENTITY x99 "&x100;&x100;"><br>
<!ENTITY x98 "&x99;&x99;"><br>
...<br>
<!ENTITY x2 "&x3;&x3;"><br>
<!ENTITY x1 "&x2;&x2;"><br>
]><br>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=...><br>
<SOAP-ENV:Body><br>
<ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."><br>
<foobar xsi:type="xsd:string">&x1;</foobar><br>
</ns1:aaa><br>
</SOAP-ENV:Body><br>
</SOAP-ENV:Envelope> </font></p>
<p><font face="MS Sans Serif" size="2">

A system that doesn't take in external XML data need not be concerned with issue, but one that does can utilize one of the following safeguards to prevent the problem:
New system property to limit entity expansion
The entityExpansionLimit system property lets existing applications constrain the total number of entity expansions without recompiling the code. The parser throws a fatal error once it has reached the entity expansion limit. (By default, no limit is set, because such a constraint would make the XML parser incompatible with the XML 1.0 specification.)

To set the entity expansion limit using the system property, use an option like the following on the java command line: -DentityExpansionLimit=100000

New parser property to disallow DTDs
The application can also set the http://apache.org/xml/features/disallow-doctype-decl parser property to true. A fatal error is then thrown if the incoming XML document contains a DOCTYPE declaration. (The default value for this property is false.) This property is typically useful for SOAP based applications where a SOAP message must not contain a Document Type Declaration.

This tip is based on:
http://java.sun.com/j2se/1.4.2/relnotes.html#jaxp


 Printer Friendly Page  Printer Friendly Page
 Send to a Friend  Send to a Friend

.. Bookmark and Share

Search here again if you need more info!

Custom Search



Home Code Examples Java Forum All Java Tips Books Submit News, Code... Search... Offshore Software Tech Doodling

RSS feed Java FAQ RSS feed Java FAQ News     

    RSS feed Java Forums RSS feed Java Forums

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest 1999-2006 by Java FAQs Daily Tips.

Interactive software released under GNU GPL, Code Credits, Privacy Policy