[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14581364#comment-14581364
]
Bryan Pendleton commented on DERBY-6810:
----------------------------------------
This page, which discusses non-Java XML processing:
https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
suggests:
The easiest way to defend against all types of XML entity attacks
is to simply disable altogether the use of inline DTD schemas in
your XML parsing objects. This is a straightforward application
of the principle of attack surface reduction: if you’re not using a
feature, turn it off so that attackers won’t be able to abuse it.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
