db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhinav Gupta (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Deleted] (DERBY-6810) Add regression tests for XXE vulnerability
Date Mon, 25 May 2015 21:07:18 GMT

     [ https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Abhinav Gupta updated DERBY-6810:
---------------------------------
    Comment: was deleted

(was: Hi Bryan,

I read more about Billion Laughs and what I understand is that, capping the memory allocated
and thus the number of number entity expansions, is one of the ways of defending against this
attack. 

So isn't limiting an expansion of a billion entities to 64,000, a successful way to stop the
attack ? )

> Add regression tests for XXE vulnerability
> ------------------------------------------
>
>                 Key: DERBY-6810
>                 URL: https://issues.apache.org/jira/browse/DERBY-6810
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Bryan Pendleton
>            Assignee: Abhinav Gupta
>         Attachments: billionLaughs.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message