You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/09/14 02:34:00 UTC

[jira] [Commented] (HDFS-16766) XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source

    [ https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17603850#comment-17603850 ] 

ASF GitHub Bot commented on HDFS-16766:
---------------------------------------

ashutoshcipher opened a new pull request, #4886:
URL: https://github.com/apache/hadoop/pull/4886

   ### Description of PR
   
   XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source.
   
   Solution - Change done in this PR disables DTDs regardless of the parser type in case the parser changes later to mitigate the issue.
   
   
   ### For code changes:
   
   - [X] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files?
   
   




> XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source
> --------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-16766
>                 URL: https://issues.apache.org/jira/browse/HDFS-16766
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.4
>            Reporter: Jing
>            Assignee: Ashutosh Gupta
>            Priority: Major
>
> XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. The attack resides in XML input containing references to an external entity an is parsed by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.
>  
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org