db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Pendleton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6810) Add regression tests for XXE vulnerability
Date Thu, 11 Jun 2015 02:43:00 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14581364#comment-14581364
] 

Bryan Pendleton commented on DERBY-6810:
----------------------------------------

This page, which discusses non-Java XML processing:

https://msdn.microsoft.com/en-us/magazine/ee335713.aspx

suggests:

    The easiest way to defend against all types of XML entity attacks 
    is to simply disable altogether the use of inline DTD schemas in 
    your XML parsing objects. This is a straightforward application 
    of the principle of attack surface reduction: if you’re not using a 
    feature, turn it off so that attackers won’t be able to abuse it.

> Add regression tests for XXE vulnerability
> ------------------------------------------
>
>                 Key: DERBY-6810
>                 URL: https://issues.apache.org/jira/browse/DERBY-6810
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Bryan Pendleton
>            Assignee: Abhinav Gupta
>         Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message