phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4188) Disable DTD parsing on Pherf XML documents
Date Tue, 12 Sep 2017 21:08:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16163655#comment-16163655
] 

Hudson commented on PHOENIX-4188:
---------------------------------

SUCCESS: Integrated in Jenkins build Phoenix-master #1790 (See [https://builds.apache.org/job/Phoenix-master/1790/])
PHOENIX-4188 Disable inline-DTDs in Pherf XML records (elserj: rev 4ee35057c6a63c347f959361338b517d4f5b38c4)
* (edit) phoenix-pherf/src/main/java/org/apache/phoenix/pherf/configuration/XMLConfigParser.java
* (edit) phoenix-pherf/src/main/java/org/apache/phoenix/pherf/result/impl/XMLResultHandler.java
* (add) phoenix-pherf/src/test/java/org/apache/phoenix/pherf/XMLConfigParserTest.java
* (edit) phoenix-pherf/pom.xml
* (add) phoenix-pherf/src/test/resources/malicious_results_with_dtd.xml
* (edit) phoenix-pherf/config/scenario/user_defined_scenario.xml
* (add) phoenix-pherf/src/test/java/org/apache/phoenix/pherf/result/impl/XMLResultHandlerTest.java
* (add) phoenix-pherf/src/test/resources/scenario/malicious_scenario_with_dtd.xml
* (edit) phoenix-pherf/src/test/java/org/apache/phoenix/pherf/ConfigurationParserTest.java


> Disable DTD parsing on Pherf XML documents
> ------------------------------------------
>
>                 Key: PHOENIX-4188
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4188
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.12.0
>
>         Attachments: PHOENIX-4188.001.patch, PHOENIX-4188.002.patch
>
>
> A security scan dinged Phoenix for an external entities attack on the XML files that
Pherf creates.
> We can easily work around it by disabling the inline doctype definition in the XML parser
we use.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message