Posted by Ralf Jung on Dec 16, 2010; 8:26am
URL: https://discuss.orbeon.com/Orbeon-Nightly-regression-DTD-entity-imports-no-longer-working-tp3085139p3090461.html

Hi Erik,

> Security issues occur when malicious users post XML to Orbeon Forms.
> In that case, for sure, external entities should be disabled.
Sorry if that is a stupid question, but I still do not get it... the only
difference between the entities that work and those that do not is that the
first are defined directly in the DTD, the other are "imported" (or however that
is called) through <!ENTITY % ... >. Since both files are controlled by the
system, and all the attacker can do is choose which DTD to use, it does not
occur to me why one file (the .dtd) is more trustworthy than the other (the
.ent).

> Mmh, this means that we probably need to implement some configuration
> mechanism. The issue is that it will be take a bit of time to do this.
>
> Unless you could use something like XInclude?
How could that help? Can a DTD XInclude other files? That would be a
possibility. I can not edit the files containing the data, as they are
regularly sent to me for import, with almost no possibility for me to change
the format (well, some more hacks and pre-processing them on a Shell should
work, but... the import is already complicated enough right now). But I can
tweak the DTD.

Kind regards,
Ralf Jung


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws