You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2015/07/04 22:13:04 UTC
[jira] [Commented] (DERBY-6810) Add regression tests for XXE
vulnerability
[ https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14614040#comment-14614040 ]
ASF subversion and git services commented on DERBY-6810:
--------------------------------------------------------
Commit 1689194 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1689194 ]
DERBY-6810: Add regression tests for XXE vulnerability
This change adds tests which provoke XML External Entity vulnerabilities
in the XmlVTI class. One test demonstrates a file access vulnerability;
the other test attempts the "billion laughs" attack. These are the XmlVTI
versions of similar tests added in revision 1685313.
These new tests exercise error-handling code paths in XmlVTI and hence
are related to (and serve as tests of) the changes made by DERBY-6820.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, error-stacktrace.out, readPasswordFile.diff, vtiTests.diff, vtiTests2.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)