Check secure feature processing enabled #204

ashawley · 2018-04-06T19:58:45Z

With respect to #177, it appears that 3 of the 8 security features in JAXP/SAX/Xerces are already enabled by default all the way back to JDK 6. They are:

http://javax.xml.XMLConstants/feature/secure-processing is already enabled
isXIncludeAware is already disabled
isNamespaceAware is already disabled

These 5 are not enabled:

http://xml.org/sax/features/external-general-entities
http://apache.org/xml/features/nonvalidating/load-external-dtd
http://apache.org/xml/features/disallow-doctype-decl
http://xml.org/sax/features/external-parameter-entities
http://xml.org/sax/features/resolve-dtd-uris

ashawley · 2018-04-06T20:00:20Z

Tests show that the default settings enabled are not the desired ones.

[error] Test scala.xml.XMLTestJVM.issue17ExternalParameterEntities failed
[error] Test scala.xml.XMLTestJVM.issue17ExternalGeneralEntities failed
[error] Test scala.xml.XMLTestJVM.issue17DisallowDoctypeDecl failed
[error] Test scala.xml.XMLTestJVM.issue17ResolveDtdUris failed
[error] Test scala.xml.XMLTestJVM.issue17LoadExternalDtd failed

ashawley added 2 commits April 10, 2018 10:32

Check secure feature processing enabled

b8cf387

Verify default parser features

47cde98

ashawley force-pushed the secure-parsing-tests branch from 82f8cb6 to 47cde98 Compare April 10, 2018 14:32

ashawley merged commit 10fa231 into scala:master Apr 10, 2018

ashawley deleted the secure-parsing-tests branch April 10, 2018 14:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check secure feature processing enabled #204

Check secure feature processing enabled #204

ashawley commented Apr 6, 2018

ashawley commented Apr 6, 2018

Check secure feature processing enabled #204

Check secure feature processing enabled #204

Conversation

ashawley commented Apr 6, 2018

ashawley commented Apr 6, 2018