[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14590877#comment-14590877
]
Bryan Pendleton commented on DERBY-6810:
----------------------------------------
I tried several experimental changes to SqlXmlUtil:
1 dBF.setExpandEntityReferences(false);
2 dBF.setFeature( XMLConstants.ACCESS_EXTERNAL_DTD, false );
3 dBF.setAttribute(
"http://apache.org/xml/features/disallow-doctype-decl";, false );
Number (1) and number (3) had no effect on the file access behavior of
XMLXXETest.testDerby6807FileAccess()
Number (2) didn't even compile in my environment.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
