Bug 958047 - woodstox-core: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING not supported
Summary: woodstox-core: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING not supported
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: woodstox-core
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michael Simacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 958046 1009415
TreeView+ depends on / blocked
 
Reported: 2013-04-30 08:55 UTC by Florian Weimer
Modified: 2016-07-19 10:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1009415 (view as bug list)
Environment:
Last Closed: 2016-07-19 10:11:18 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Florian Weimer 2013-04-30 08:55:19 UTC
This doesn't work:

        SAXParserFactory factory = new WstxSAXParserFactory();
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        SAXParser parser = factory.newSAXParser();
        InputSource is = new InputSource(new FileInputStream(args[0]));
        parser.parse(is, new DefaultHandler());

It results in:

Exception in thread "main" org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' not recognized

As a result, it appears impossible to defend against "billion laughs"-style denial of service attacks, along the lines of:

https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/src/data/XML-Parser-Internal_Entity_Exponential.xml
https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/src/data/XML-Parser-Internal_Entity_Exponential_Attribute.xml

Comment 1 Fedora End Of Life 2013-09-16 13:43:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20

Comment 2 Fedora Admin XMLRPC Client 2015-01-27 14:40:17 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Jaroslav Reznik 2015-03-03 14:55:30 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 4 Fedora End Of Life 2016-07-19 10:11:18 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.