[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14584790#comment-14584790
]
ASF subversion and git services commented on DERBY-6810:
--------------------------------------------------------
Commit 1685313 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1685313 ]
DERBY-6810: Add regression tests for XXE vulnerability
This change adds the so-called "billion laughs" XML attack to the
XMLXXETest suite of XXE test cases. See:
https://en.wikipedia.org/wiki/Billion_laughs
Note that even though this suite runs with no security manager, the default
limit of 64,000 entity expansions still applies, as documented in the Java
documentation here:
http://docs.oracle.com/javase/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security
And thus Derby, even with no security manager, is not vulnerable to the
billion laughs attack, at least since J2SE version 5.
Even though this test case does not demonstrate any error in Derby behavior,
so far as I can tell, it is still a worthwhile test to have in the suite.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
