Description of problem: From "Ron Sigal" <rsigal> 's mail thread: "Another XXE issue". ------------ From: "Ron Sigal" <rsigal> To: pjanouse, pjanouse Cc: "Bill Burke" <bburke>, "Weinan Li" <weli> Sent: Sunday, June 1, 2014 5:46:39 AM Subject: Another XXE issue Hi Pavel and David, I've been looking at RESTEASY-1055 "TestXXESecureProcessing testcase doesn't throw UnmarshalException", and I'm writing to you because you were both involved with JBPAPP-8055, which concerned XXE attacks. It seems that different implementations of Xerces treat external entity expansion differently. JAXP specifies a default limit of 64000 for the entityExpansionLimit parameter "when the secure processing feature is on", but different implementations seem to handle entityExpansionLimit differently. In particular, the version that ships with JDK 1.7 (which I tested with originally) applies the limit (and throws an Exception when it is violated) even when secure processing is turned off, but "xerces:xercesImpl:2.9.1-redhat-4 provided by EAP", referred to by RESTEASY-1055, ignores the limit when secure processing is turned off. It seems that I need to turn on secure processing explicitly to ensure that the entity expansion limit is observed, but I don't want to change the existing behavior of Resteasy, so I propose to add a Resteasy parameter, "resteasy.document.secure.processing", that can be used to turn on secure processing. If it is set to true, then it looks like I have to use a wrapping unmarshaller like I did to prevent entity expansion. Any comments? -Ron ----------- On 06/02/2014 08:44 AM, "Katerina Novotna" <kanovotn> wrote: Hi Ron, I'm thinking it is already late to include this fix to EAP 6.3.0. I propose to document this issue to known issues for EAP 6.3.0, with proposed "workaround" that customer application needs to check the length of the expansion. To the resolution of the issue itself - it seems to me more like problem of the current xerces implementation present in EAP rather than problem of resteasy itself. It seems more clean to me to fix it in xerces directly. What do you think?
Xerces Prod git repo: http://git.app.eng.bos.redhat.com/git/xerces2-j.git/
Dublicate to https://bugzilla.redhat.com/show_bug.cgi?id=1108548 *** This bug has been marked as a duplicate of bug 1108548 ***