karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KARAF-4209) Weak XML Schema: Unbounded Occurrences
Date Tue, 15 Dec 2015 17:42:46 GMT
Eduardo Aguinaga created KARAF-4209:
---------------------------------------

             Summary: Weak XML Schema: Unbounded Occurrences
                 Key: KARAF-4209
                 URL: https://issues.apache.org/jira/browse/KARAF-4209
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.

Setting a maxOccurs value to unbounded can lead to resources exhaustion and ultimately a denial
of service.

File: features/core/src/main/resources/org/apache/karaf/features/karaf-features-1.0.0.xsd
Line: 64

karaf-features-1.0.0.xsd, lines 64-77:
64         <xs:choice minOccurs="0" maxOccurs="unbounded">
65             <xs:element name="details" minOccurs="0" type="xs:string">
66                 <xs:annotation>
67                     <xs:documentation><![CDATA[
68 The help text shown for this feature when using the feature:info console command.
69                     ]]>
70                     </xs:documentation>
71                 </xs:annotation>
72             </xs:element>
73             <xs:element name="config" type="tns:config" />
74             <xs:element name="configfile" type="tns:configFile" />
75             <xs:element name="feature" type="tns:dependency" />
76             <xs:element name="bundle" type="tns:bundle" />
77         </xs:choice>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message