OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] Bulk XSD validation in Java

[ Lists Home | Date Index | Thread Index ]
  • To: "Stan Kitsis" <skits@microsoft.com>,"xml dev" <xml-dev@lists.xml.org>
  • Subject: RE: [xml-dev] Bulk XSD validation in Java
  • From: "Chris Wilper" <cwilper@cs.cornell.edu>
  • Date: Tue, 28 Feb 2006 17:26:43 -0500
  • Thread-index: AcY78QweOdUWX9CsQUCGeUwezvtcjAAFLOPVACSkVuAABWIdcA==
  • Thread-topic: [xml-dev] Bulk XSD validation in Java

Title: Bulk XSD validation in Java
Hi Stan,
The sources are trusted in this case, but the software may be re-used in less secure environments later... so I'd rather deal with the potential vulnerabilities up-front.
I'm aware of the old DTD attack, and a few obvious DoS-type attacks I can envision.  Do you have any idea what types of risks might remain if the application employed the following rules?
All documents would fail to be parsed if:
  - they contain DTD declarations
  - their size exceeds some acceptable threshold
  - connection and/or retrieval time exceeds some acceptable threshold
Schemas would fail to be loaded (and thus parsed or used) if:
  - the # of loaded schemas since the last completed validation
    exceeds some acceptable threshold (a crude guard against
    excessive schema includes within schemas, etc..)

From: Stan Kitsis [mailto:skits@microsoft.com]
Sent: Tuesday, February 28, 2006 1:59 PM
To: Chris Wilper; xml dev
Subject: RE: [xml-dev] Bulk XSD validation in Java



Your scenario involves unknown data and unknown schemas.  If the sources of your inputs are not trusted, you are opening yourself to a wide range of potential problems (such as DoS attacks). 





Stan Kitsis,

Webdata - XML

Microsoft Corporation



From: Chris Wilper [mailto:cwilper@cs.cornell.edu]
Sent: Monday, February 27, 2006 5:54 PM
To: xml dev
Subject: [xml-dev] Bulk XSD validation in Java


Hi all,

I've got a java process that needs to continously validate xml documents according to the w3c schemas they indicate in their xsd:schemaLocations.  The documents arrive at a high rate and must be processed as quickly as possible.  The exact schemas they employ are not known ahead of time and there may be several of them required to validate each document.

My question is, what library/libraries are appropriate in this situation and how do I tell them to only load the required schema(s) only once?  Any advice?



News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS