[YANGTOOLS-1211] Can XML injection protection settings be added to XmlParserStream.java? Created: 25/Jan/21 Updated: 25/Jan/21 |
|
| Status: | Open |
| Project: | yangtools |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Low |
| Reporter: | march much | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Can XML injection protection settings be added to XmlParserStream.java? For example: |
| Comments |
| Comment by Robert Varga [ 25/Jan/21 ] |
|
I do not see how it could be attacked even today. The transformer does not process a raw document, but rather a stream of events coming from a (I am pretty sure) secured XMLStreamWriter. By the time the transformer sees it, the document's contents should've been defanged. If not, please provide a test case. |