[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14581363#comment-14581363
]
Bryan Pendleton commented on DERBY-6810:
----------------------------------------
Here is a bit of documentation about the 64,000 entity expansion limit
demonstrated by the "billion laughs" test:
http://docs.oracle.com/javase/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security
I'm still having trouble finding much information about the file disclosure
vulnerability and whether there are mechanisms other than the
Java security manager which control it. This page:
http://blog.gdssecurity.com/labs/2014/6/13/castor-library-xml-external-entity-xxe-vulnerability.html
suggests that we investigate the external-general-entities and the
external-parameter-entities
features of the XML parser, while this page:
http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa
suggests that we investigate the disallow-doctype-decl feature of the XML
parser, and this page:
https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security
suggests that all these features are automatically enabled whenever a Java
security manager is present.
Still researching...
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
