[
https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568473#comment-14568473
]
Bryan Pendleton commented on DERBY-6807:
----------------------------------------
I changed line 96 of XMLTypeAndOpsTest.java so it read:
return SecurityManagerSetup.noSecurityManager(new XMLTestSetup(suite));
which causes this entire test suite to run without the standard Derby Security
manager
in place. After I did this, the new test case now results in:
Expected: >NULL<
Found: ><yolo>HelloWorld^M
</yolo><
I think this means that the test case therefore demonstrates the bug.
However, enabling FEATURE_SECURE_PROCESSING in SqlXmlUtils.java had
no effect on running the test.
Moreover, I don't think that we want *all* of XMLTypeAndOpsTest to run with
no security manager in place, so I think this means that we want to take our
two new test cases (the test case attached to this issue, and the test case
attached to DERBY-6810), and put them in a new test suite by themselves,
with no security manager installed, and see if that standalone test suite
demonstrates the vulnerability.
Then, we still have to figure out where to put the FEATURE_SECURE_PROCESSING
to address the vulnerability.
> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
> Key: DERBY-6807
> URL: https://issues.apache.org/jira/browse/DERBY-6807
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: error-stacktrace.out, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to
> expose sensitive information or launch denial-of-service assaults. This issue
> has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe
> Arteau.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
