[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhinav Gupta updated DERBY-6810:
---------------------------------
Comment: was deleted
(was: Hi Bryan,
I read more about Billion Laughs and what I understand is that, capping the
memory allocated and thus the number of number entity expansions, is one of the
ways of defending against this attack.
So isn't limiting an expansion of a billion entities to 64,000, a successful
way to stop the attack ? )
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
