You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "James Turton (Jira)" <ji...@apache.org> on 2024/01/02 07:44:00 UTC
[jira] [Closed] (DRILL-8461) Prevent XXE Attacks in XML Format Plugin
[ https://issues.apache.org/jira/browse/DRILL-8461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Turton closed DRILL-8461.
-------------------------------
Resolution: Fixed
> Prevent XXE Attacks in XML Format Plugin
> ----------------------------------------
>
> Key: DRILL-8461
> URL: https://issues.apache.org/jira/browse/DRILL-8461
> Project: Apache Drill
> Issue Type: Bug
> Components: Format - XML
> Affects Versions: 1.21.1
> Reporter: Charles Givre
> Assignee: Charles Givre
> Priority: Critical
> Fix For: 1.21.2
>
>
> Drill's XML reader would allow a maliciously crafted XML file to perform an _XML eXternal Entity injection_ (XXE) attack. This fix disables DTD parsing in the XML format plugin and prevents XXE attacks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)