'Re: [OT] External XML Entities with relative pathnames'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: [OT] External XML Entities with relative pathnames
From:       Konstantin Kolinko <knst.kolinko () gmail ! com>
Date:       2016-06-28 20:28:08
Message-ID: CABzHfVkmCwAOsRZJBfCZ-1GPQESwA9+LcRSr1TEMTORi+TwCuA () mail ! gmail ! com
[Download RAW message or body]

2016-06-28 18:53 GMT+03:00 Christopher Schultz <chris@christopherschultz.net>:

> I'm trying to build an XML file that includes several smaller XML
> files using XXE, like this:
>
> bar.xml:
>
> <?xml version="1.0"?>
> <!DOCTYPE config [
> <!ENTITY foo SYSTEM "foo.xml">
> ]>
> <config>
>   &foo;
> </config>
>
> The files "foo.xml" and "bar.xml" are in the same directory.
>
> This works great when the CWD of the process is the same as foo.xml
> and bar.xml, but when I try to say "hey program, parse
> /a/b/c/bar.xml", I get FileNotFoundException for CWD/foo.xml.
>
> We often recommend that people use XXE for "password-less" server.xml
> files. Is everyone using absolute filenames for that? Or is there some
> kind of option that I need to set on Xerces (being used internally by
> the JVM -- the com.sun.org.apache.xerces flavor) or Digester (I'm
> using commons-digester to read the XML) to enable relative entities?
>
> I've been searching the web for references to things like this, and it
> appears that various versions of Xerces (including the C version) had
> a bug where relative paths weren't working properly (the XML spec says
> that relative paths such as the above should be relative to the
> document that defined them -- that is: foo.xml should be expected in
> the same location as bar.xml in my example above). Do I just have a
> buggy version of Xerces?
>


1. I routinely use that "passwords" recipe to externalize resources
from server.xml.  It is the same example as in our FAQ (no path at all
-> resolved relatively to server.xml).

Also Tomcat has examples in its documentation:

Every document (e.g. changelog.xml, config/index.xml) references
project.xml located in the same directory as the document, with
different project.xml in each directory.

security-manager-howto.xml also references catalina.policy

Note that Apache Ant is usually run from the root of source tree.


2. Note that to be able to resolve relative URLs, XML parser must know
the correct URL of the file that it processes.

Sample code:

o.a.catalina.ant.ValidatorTask

            InputSource is = new
InputSource(file.toURI().toURL().toExternalForm());
            is.setByteStream(stream);

o.a.catalina.startup.Catalina:

                InputSource is =
                    new InputSource(file.toURI().toURL().toString());
                is.setByteStream(fis);

instead of just calling new InputSource(stream).

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic