Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id D72C4200D04 for ; Mon, 11 Sep 2017 17:18:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id D60361609C4; Mon, 11 Sep 2017 15:18:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 26BAE1609C3 for ; Mon, 11 Sep 2017 17:18:09 +0200 (CEST) Received: (qmail 89838 invoked by uid 500); 11 Sep 2017 15:18:07 -0000 Mailing-List: contact dev-help@phoenix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@phoenix.apache.org Delivered-To: mailing list dev@phoenix.apache.org Received: (qmail 89825 invoked by uid 99); 11 Sep 2017 15:18:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Sep 2017 15:18:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id F0A0DC168B for ; Mon, 11 Sep 2017 15:18:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id vjss5zTetZhr for ; Mon, 11 Sep 2017 15:18:06 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 340705FCB9 for ; Mon, 11 Sep 2017 15:18:06 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 073C7E01D8 for ; Mon, 11 Sep 2017 15:18:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id AEEF424137 for ; Mon, 11 Sep 2017 15:18:02 +0000 (UTC) Date: Mon, 11 Sep 2017 15:18:00 +0000 (UTC) From: "Josh Elser (JIRA)" To: dev@phoenix.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (PHOENIX-4188) Disable DTD parsing on Pherf XML documents MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 11 Sep 2017 15:18:10 -0000 [ https://issues.apache.org/jira/browse/PHOENIX-4188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Josh Elser updated PHOENIX-4188: -------------------------------- Attachment: PHOENIX-4188.002.patch .002 naming convention on the data files for the new test cases conflicted with what the existing tests were expecting which caused the new parser additions to (correctly, actually) fail the existing tests :) > Disable DTD parsing on Pherf XML documents > ------------------------------------------ > > Key: PHOENIX-4188 > URL: https://issues.apache.org/jira/browse/PHOENIX-4188 > Project: Phoenix > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 4.12.0 > > Attachments: PHOENIX-4188.001.patch, PHOENIX-4188.002.patch > > > A security scan dinged Phoenix for an external entities attack on the XML files that Pherf creates. > We can easily work around it by disabling the inline doctype definition in the XML parser we use. -- This message was sent by Atlassian JIRA (v6.4.14#64029)