You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2015/07/04 22:13:04 UTC

[jira] [Commented] (DERBY-6810) Add regression tests for XXE vulnerability

    [ https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14614040#comment-14614040 ] 

ASF subversion and git services commented on DERBY-6810:
--------------------------------------------------------

Commit 1689194 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1689194 ]

DERBY-6810: Add regression tests for XXE vulnerability

This change adds tests which provoke XML External Entity vulnerabilities
in the XmlVTI class. One test demonstrates a file access vulnerability;
the other test attempts the "billion laughs" attack. These are the XmlVTI
versions of similar tests added in revision 1685313.

These new tests exercise error-handling code paths in XmlVTI and hence
are related to (and serve as tests of) the changes made by DERBY-6820.

> Add regression tests for XXE vulnerability
> ------------------------------------------
>
>                 Key: DERBY-6810
>                 URL: https://issues.apache.org/jira/browse/DERBY-6810
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Bryan Pendleton
>            Assignee: Abhinav Gupta
>         Attachments: billionLaughs.diff, error-stacktrace.out, readPasswordFile.diff, vtiTests.diff, vtiTests2.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)