Thursday, August 06, 2009
XML issue, NiXPS SDK unaffected
The Register reports the discovery of an XML flaw that appears to affect a lot of different XML libraries, as such it seems to be more of a design issue with XML, than a regular software bug.
XPS contains a lot of XML, so it's an issue that is of interest to the XPS community.
The details are scarce, but by looking at the references on the CERT advisory it seems to be related to the DTD an XML file can contain; and more specifically related to recursive DTD references.
The Apache software foundation publishes a very popular XML parsing library, Xerces.
They have implemented a fix, and the commit message appears to be: 'Avoid recursion when parsing simply nested DTD structures.' So we can safely assume that DTD recursion is at play here.
Our NiXPS SDK does not contain a third party XML parsing library, as we regarded the XML processing very vital and core to XPS processing, that we decided not to use a third party library for this.
The XML parsing implementation in the NiXPS SDK is immune to this DTD recursion issue. ¶ 10:48
XPS contains a lot of XML, so it's an issue that is of interest to the XPS community.
The details are scarce, but by looking at the references on the CERT advisory it seems to be related to the DTD an XML file can contain; and more specifically related to recursive DTD references.
The Apache software foundation publishes a very popular XML parsing library, Xerces.
They have implemented a fix, and the commit message appears to be: 'Avoid recursion when parsing simply nested DTD structures.' So we can safely assume that DTD recursion is at play here.
Our NiXPS SDK does not contain a third party XML parsing library, as we regarded the XML processing very vital and core to XPS processing, that we decided not to use a third party library for this.
The XML parsing implementation in the NiXPS SDK is immune to this DTD recursion issue. ¶ 10:48
