Uploaded image for project: 'XMLTooling - Java'
  1. XMLTooling - Java
  2. JXT-105

DefaultBootstrap unexpectedly uses a parser StaticBasicParserPool with expandEntityReferences set to true

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.4.1
    • Component/s: None
    • Labels:
      None

      Description

      DefaultBootstrap unexpectedly uses a parser StaticBasicParserPool with expandEntityReferences set to true.

      StaticParserPool explicitly defaults to expandEntityReferences to true, which is both a vulnerability [1], and, as far as I know, unnecessary for SAML.

      Given those features, I believe it should default to false to limit the chances of people building on the library and inheriting the vulnerability (I has assumed that it would be turned off by default).

      Cheers,
      David

      [1] http://en.wikipedia.org/wiki/Billion_laughs

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              putmanb@shibboleth.net Brent Putman
              Reporter:
              davidillsley@idp.protectnetwork.org davidillsley@idp.protectnetwork.org
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 3 hours, 30 minutes
                  1d 3h 30m