chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <j...@apache.org>
Subject [jira] [Commented] (CMIS-941) XML External Entity Injection possible in LoggingFilter
Date Mon, 24 Aug 2015 09:49:45 GMT

    [ https://issues.apache.org/jira/browse/CMIS-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709032#comment-14709032
] 

Florian Müller commented on CMIS-941:
-------------------------------------

That's already there. The LoggingFilter call the XMLUtils:
{code}
Transformer transformer = XMLUtils.newTransformer(indent);
{code}

XMLUtils eventually does this:
{code}
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
{code}

> XML External Entity Injection possible in LoggingFilter
> -------------------------------------------------------
>
>                 Key: CMIS-941
>                 URL: https://issues.apache.org/jira/browse/CMIS-941
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> The XML parser configured in LoggingFilter.java:205 does not prevent nor limit Document
Type Definition (DTD) entity resolution. This can expose the parser to an XML Entity Expansion
injection.
> Explanation:
> XML Entity Expansion injection also known as XML Bombs are DoS attacks that benefit from
valid and well-formed XML blocks that expand exponentially until they exhaust the server allocated
resources. XML allows to define custom entities which act as string substitution macros. By
nesting recurrent entity resolutions, an attacker can easily crash the server resources.
> The following XML document shows an example of an XML Bomb.
> <?xml version="1.0"?>
> <!DOCTYPE lolz [
>   <!ENTITY lol "lol">
>   <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
>   <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
>   <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
>   <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
>   <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
>   <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
>   <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
>   <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
> ]>
> <lolz>&lol9;</lolz>
> This test could crash the server by expanding the small XML document into more than 3GB
in memory.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message