db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6810) Add regression tests for XXE vulnerability
Date Mon, 29 Jun 2015 20:12:05 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14606302#comment-14606302
] 

ASF subversion and git services commented on DERBY-6810:
--------------------------------------------------------

Commit 1688297 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1688297 ]

DERBY-6820: Improve error handling in XmlVTI

This patch refines some of the error-handling behavior in the XmlVTI class:
- next() no longer calls printStackTrace if an exception is encountered.
- the SQLException thrown by next() now chains the original exception as cause
- an XMLErrorHandler is installed to process any internal parsing errors
- the XMLErrorHandler closes the input source, so resources can be freed

No new tests are included in this change. Additional new tests which exercise
these code paths are being developed as part of DERBY-6810, however, and
will be submitted in the near future.

> Add regression tests for XXE vulnerability
> ------------------------------------------
>
>                 Key: DERBY-6810
>                 URL: https://issues.apache.org/jira/browse/DERBY-6810
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Bryan Pendleton
>            Assignee: Abhinav Gupta
>         Attachments: billionLaughs.diff, error-stacktrace.out, readPasswordFile.diff,
vtiTests.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message