Posted by Erik Bruchez on Dec 18, 2010; 1:50am
URL: https://discuss.orbeon.com/Orbeon-Nightly-regression-DTD-entity-imports-no-longer-working-tp3085139p3093359.html

> Sorry if that is a stupid question, but I still do not get it... the only
> difference between the entities that work and those that do not is that the
> first are defined directly in the DTD, the other are "imported" (or however that
> is called) through <!ENTITY % ... >. Since both files are controlled by the
> system, and all the attacker can do is choose which DTD to use, it does not
> occur to me why one file (the .dtd) is more trustworthy than the other (the
> .ent).

Right, those are called external entities, and it's those that cause
security issues and which we disabled.

> How could that help? Can a DTD XInclude other files?

I fear not.

> That would be a
> possibility. I can not edit the files containing the data, as they are
> regularly sent to me for import, with almost no possibility for me to change
> the format (well, some more hacks and pre-processing them on a Shell should
> work, but... the import is already complicated enough right now). But I can
> tweak the DTD.

So can you tweak it not to use external entities?

-Erik


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws