[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14558356#comment-14558356
]
Bryan Pendleton commented on DERBY-6810:
----------------------------------------
I experimentally tried the following change to SqlXmlUtil.java but I didn't see
any change in the behavior of the new test. I'm not sure if I expected to see
a change or not.
Index: java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java
===================================================================
--- java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java (revision
1681529)
+++ java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java (working copy)
@@ -197,6 +197,7 @@
dBF.setValidating(false);
dBF.setNamespaceAware(true);
+ dBF.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
// Load document builder that can be used for parsing XML.
dBuilder = dBF.newDocumentBuilder();
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
