Cart
[Home] [By Thread] [By Date] [Recent Entries]
Chris, personally I don't like the idea of trusting the processing hint xsi:schemaLocation and usually prefer to decide what set of schemata (and/or other methods - e.g. rules) I want to use to validate inbound messages. Of course this does somewhat depend on the trust relationship you have with your service consumers and the level of authentication/authorisation that is implemented prior to message processing. Is there no way that your validation process can 'discover' the specific message type at run-time and validate against the appropriate set of [cached] schemata ? Fraser. >From: "Chris Wilper" <cwilper@c...> >To: "Stan Kitsis" <skits@m...>,"xml dev" <xml-dev@l...> >Subject: RE: Bulk XSD validation in Java >Date: Tue, 28 Feb 2006 17:26:43 -0500 > >Hi Stan, > >The sources are trusted in this case, but the software may be re-used in >less >secure environments later... so I'd rather deal with the potential >vulnerabilities up-front. > >I'm aware of the old DTD attack, and a few obvious DoS-type attacks I can >envision. Do you have any idea what types of risks might remain if the >application employed the following rules? > >All documents would fail to be parsed if: > - they contain DTD declarations > - their size exceeds some acceptable threshold > - connection and/or retrieval time exceeds some acceptable threshold > >Schemas would fail to be loaded (and thus parsed or used) if: > - the # of loaded schemas since the last completed validation > exceeds some acceptable threshold (a crude guard against > excessive schema includes within schemas, etc..) > >Thanks, >Chris > > >________________________________ > >From: Stan Kitsis [mailto:skits@m...] >Sent: Tuesday, February 28, 2006 1:59 PM >To: Chris Wilper; xml dev >Subject: RE: Bulk XSD validation in Java > > > >Chris, > > > >Your scenario involves unknown data and unknown schemas. If the sources of >your inputs are not trusted, you are opening yourself to a wide range of >potential problems (such as DoS attacks). > > > >Stan > > > >-------------------------------------- > >Stan Kitsis, > >Webdata - XML > >Microsoft Corporation > >-------------------------------------- > > > >________________________________ > >From: Chris Wilper [mailto:cwilper@c...] >Sent: Monday, February 27, 2006 5:54 PM >To: xml dev >Subject: Bulk XSD validation in Java > > > >Hi all, > >I've got a java process that needs to continously validate xml documents >according to the w3c schemas they indicate in their xsd:schemaLocations. >The >documents arrive at a high rate and must be processed as quickly as >possible. >The exact schemas they employ are not known ahead of time and there may be >several of them required to validate each document. > >My question is, what library/libraries are appropriate in this situation >and >how do I tell them to only load the required schema(s) only once? Any >advice? > >Thanks, >Chris >
|
