[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14581356#comment-14581356
]
ASF subversion and git services commented on DERBY-6810:
--------------------------------------------------------
Commit 1684807 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1684807 ]
DERBY-6810: Add regression tests for XXE vulnerability.
This patch was contributed by Abhinav Gupta (abhinavgupta2004 at gmail dot com)
This change adds a new regression test suite to hold tests for XXE
vulnerabilities in XML data type processing.
The new test case is in a suite by its own because we want to control the
overall security configuration (e.g., we want to ensure that no security
manager is installed).
Over time, as other types of XXE vulnerabilities are studied, we can add
additional test cases to this test suite.
Note that this test case demonstrates incorrect behavior, we believe. When
DERBY-6807 is fixed, this test case will need to be changed accordingly.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
