[XML-DEV Mailing List Archive Home]
[By Thread]
[By Date]
[Recent Entries]
[Reply To This Message]
RE: Bulk XSD validation in Java
- To: "Stan Kitsis" <skits@m...>,"xml dev" <xml-dev@l...>
- Subject: RE: Bulk XSD validation in Java
- From: "Chris Wilper" <cwilper@c...>
- Date: Tue, 28 Feb 2006 17:26:43 -0500
- Thread-index: AcY78QweOdUWX9CsQUCGeUwezvtcjAAFLOPVACSkVuAABWIdcA==
- Thread-topic: Bulk XSD validation in Java
Title: Bulk XSD validation in Java
Hi Stan,
The sources are trusted in this case, but the
software may be re-used in less secure environments later... so
I'd rather deal with the potential vulnerabilities up-front.
I'm aware of the old DTD attack, and a few obvious
DoS-type attacks I can envision. Do you have any idea what types of
risks might remain if the application employed the following
rules?
All documents would fail to be parsed
if:
- they contain DTD
declarations
- their size exceeds some acceptable
threshold
- connection and/or retrieval time
exceeds some acceptable threshold
Schemas would fail to be loaded (and thus parsed or
used) if:
- the # of loaded schemas since the last
completed validation
exceeds some acceptable threshold (a
crude guard against
excessive schema includes within
schemas, etc..)
Thanks,
Chris
Chris,
Your scenario involves
unknown data and unknown schemas. If the sources of your inputs are not
trusted, you are opening yourself to a wide range of potential problems (such as
DoS attacks).
Stan
--------------------------------------
Stan
Kitsis,
Webdata -
XML
Microsoft
Corporation
--------------------------------------
From: Chris
Wilper [mailto:cwilper@c...] Sent: Monday, February 27, 2006 5:54
PM To: xml dev Subject: Bulk XSD validation in
Java
Hi
all,
I've got a java process that needs to continously validate xml
documents according to the w3c schemas they indicate in their
xsd:schemaLocations. The documents arrive at a high rate and must be
processed as quickly as possible. The exact schemas they employ are not
known ahead of time and there may be several of them required to validate each
document.
My question is, what library/libraries are appropriate in this
situation and how do I tell them to only load the required schema(s) only
once? Any advice?
Thanks, Chris
|
|
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format
RSS 2.0 |
|
Atom 0.3 |
|
|
Stylus Studio has published XML-DEV in RSS and ATOM formats,
enabling users to easily subcribe to the list from their preferred news reader application.
|
Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website.
they were not included by the author in the initial post. To view the content without the Sponsor Links please
click here.
|
|