You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "James Turton (Jira)" <ji...@apache.org> on 2024/01/02 07:44:00 UTC

[jira] [Closed] (DRILL-8461) Prevent XXE Attacks in XML Format Plugin

     [ https://issues.apache.org/jira/browse/DRILL-8461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Turton closed DRILL-8461.
-------------------------------
    Resolution: Fixed

> Prevent XXE Attacks in XML Format Plugin
> ----------------------------------------
>
>                 Key: DRILL-8461
>                 URL: https://issues.apache.org/jira/browse/DRILL-8461
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Format - XML
>    Affects Versions: 1.21.1
>            Reporter: Charles Givre
>            Assignee: Charles Givre
>            Priority: Critical
>             Fix For: 1.21.2
>
>
> Drill's XML reader would allow a maliciously crafted XML file to perform an _XML eXternal Entity injection_ (XXE)  attack.  This fix disables DTD parsing in the XML format plugin and prevents XXE attacks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)