uima-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marshall Schor (JIRA)" <...@uima.apache.org>
Subject [jira] [Commented] (UIMA-6064) External DTD usage in XML descriptors disabled during build revision upgrade
Date Mon, 17 Jun 2019 15:59:00 GMT

    [ https://issues.apache.org/jira/browse/UIMA-6064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16865721#comment-16865721

Marshall Schor commented on UIMA-6064:

Thanks; good catch on ACCESS_EXTERNAL_SCHEMA - we'll add that.

It seems reasonable to add 1 switch to restrict all/ none (default restrict all).

I'll work on coming up with a spec for the true/false and "protocols" or all or "".

I'm thinking of making all of these -D kind of parameters, because that allows env vars (as
the value of the -D parameter) as an alternative. 

> External DTD usage in XML descriptors disabled during build revision upgrade
> ----------------------------------------------------------------------------
>                 Key: UIMA-6064
>                 URL: https://issues.apache.org/jira/browse/UIMA-6064
>             Project: UIMA
>          Issue Type: Bug
>          Components: Core Java Framework
>    Affects Versions: 2.10.2SDK
>            Reporter: Timo Boehme
>            Priority: Major
> Between version 2.10.1 and 2.10.2 the XMLParser configuration was changed (fixed, without
the possibility to adjust it) to not allow for DTD and its loading from external file.
> This is done in XMLUtils.createSAXParserFactory() which sets the DISALLOW_DOCTYPE_DECL
and LOAD_EXTERNAL_DTD feature. Before the SAXParserFactory was created without adjusting these
> While I understand that this was done to prevent malicious XML from doing nasty things,
the kind how it was done is problematic:
>  * the change happened in a revision build, no major or minor number change
>  * it was not documented
>  * one cannot simply change it back like using an environment variable, method call etc.
- the only workaround is to do a problematic sub-classing of XMLParser_impl with additional
configuration etc.
> We use the DTDs for CPE descriptors quite a lot to have the descriptor in modular chunks
using entities etc. Thus it is important (for the time being) to use DTD there - and we know
that the XML is not problematic.
> Because this feature (DTD) is crucial I have marked this as a BUG since such changes
should not occur in a build upgrade or it should at least be possible to get the old behavior
easily back.

This message was sent by Atlassian JIRA

View raw message