Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1813

With Java 9 'accessExternalDTD' is disabled causing SecureProcessingTests to fail

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Major Major
    • 3.6.1.Final, 4.0.0.Beta5
    • 3.5.0.CR1
    • None
    • None

      The tests in the org.jboss.resteasy.test.xxe package fail with java version "9.0.4":

      SecureProcessing2Test.testSecurityDefaultDTDsFalseExpansionDefault
      SecureProcessing2Test.testSecurityDefaultDTDsFalseExpansionFalse
      SecureProcessingTest.testSecurityTrueDTDsFalseExpansionDefault
      SecureProcessingTest.testSecurityTrueDTDsFalseExpansionFalse

      They fail to read external DTD file. Which is controled by accessExternalDTD . And I am able to reproduce it locally.

      If we want to keep ability to read external DTD files it should be configurable IMHO.

      Test output:

      &amp#27;[0m11:12:00.396 INFO  [org.jboss.resteasy.test.xxe.SecureProcessingTest] (main) status: 400
11:12:00.396 INFO  [org.jboss.resteasy.test.xxe.SecureProcessingTest] (main) doDTDPasses() result: javax.xml.bind.UnmarshalException
 - with linked exception:
[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 117; External DTD: Failed to read external DTD 'SecureProcessing_external.dtd', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.]

              rsearls r searls
              kanovotn Katerina Odabasi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: