You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@camel.apache.org by "Stephan Siano (JIRA)" <ji...@apache.org> on 2015/03/02 08:07:04 UTC

[jira] [Comment Edited] (CAMEL-8312) XML External Entity (XXE) injection in XPath

    [ https://issues.apache.org/jira/browse/CAMEL-8312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14342817#comment-14342817 ] 

Stephan Siano edited comment on CAMEL-8312 at 3/2/15 7:06 AM:
--------------------------------------------------------------

Hi Claus,

are you sure that you want to delay this till 2.15.0? An unpatched XXE injection vulnerability is actually a security issue that should be patched ASAP.

I think this issue (and CAMEL-8311) are about as serious as the ones in CVE-2014-0002 and CVE-2014-0003.

Best regards
Stephan


was (Author: siano):
Hi Claus,

are you sure that you want to delay this till 2.15.0? An unpatched XXE injection vulnerability is actually a security issue that should be patched ASAP.

Best regards
Stephan

> XML External Entity (XXE) injection in XPath
> --------------------------------------------
>
>                 Key: CAMEL-8312
>                 URL: https://issues.apache.org/jira/browse/CAMEL-8312
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>    Affects Versions: 2.13.3, 2.14.1
>            Reporter: Stephan Siano
>            Assignee: Claus Ibsen
>             Fix For: 2.15.0
>
>         Attachments: 0001-CAMEL-8312-XXE-vulnerability-in-XPath-evaluator.patch
>
>
> If the documentType of an XPath expression is set to a class for that no type converter exists and the data to which the expression is applied is of type WrappedFile or String the XPath will seem to work anyway. However this setup will make the scenario susceptible to XXE injection attacks (because the InputSource created from the String or Generic file will be parsed by a default parser within the XPath evaluation and the XXE will succeed.
> Even worse, if the documentType is Document (the default) and the DOM parsing fails because the document is invalid and contains an XXE injection this will allow DOS attacks on the system.
> The two unit tests contained in the patch show these two use cases (and throw a FileNotFoundException on an unchanged XPath builder).
> As a side effect the Exception in the XPathFeatureTest.testXPath changes (because initially there are errors during type conversion and during XPath evaluation whereas after the patch processing is stopped after the type conversion error).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)