Security problem when using Woodstox as a drop-in replacement for JDK parsers

Question

Security problem when using Woodstox as a drop-in replacement for JDK parsers

Closed this issue 6 years ago · 3 comments

JEP 185: Restrict Fetching of External XML Resources introduced system properties for securing applications against security threats such as XML External Entities.

When e.g. the system property -Djavax.xml.accessExternalDTD= is set to the empty list, the JDK parsers throw an exception if the parsed document contains a reference to an external DTD.

When Woodstox is added to the application's class path it replaces the default parsers. But then the system property seems no longer to have any effect, weakening the security of the application.

Since security is generally a major concern Woodstox should honour the properties introduced by JEP 185.

Answer 1 · 2018-05-14T14:43:26.000Z

Instead of the newly introduced property, you could instead use Stax standard property that does the same:

XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES

? Disable that (using factory.setProperty()) and things work as expected.

Since this property seems to be relatively need addition, Woodstox does not yet support it. No one has so far requested its addition.

But I will file an issue for adding support.

Answer 2 · 2018-05-14T14:48:08.000Z

Created #51 as placeholder so that whoever has time can work on it.

Answer 3 · 2018-05-14T15:15:25.000Z

@veita forgot to add the important part: Thank you for reporting this.

I hope we can update things to support newer Oracle additions, even if communication lines do not always seem to work well (we used to get more patches, updates, from them, couple of years ago).