[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14590905#comment-14590905
]
Bryan Pendleton commented on DERBY-6810:
----------------------------------------
Oh! In number (3) above, I had a double-negative problem. The correct line of
code is:
dBF.setAttribute( "http://apache.org/xml/features/disallow-doctype-decl";, true
);
(That is, set the "disallow" feature to "true" :) )
With that line in place, the behavior DOES change, and we get an error due to
the
presence of the DOCTYPE.
ALSO, I had success with this:
dBF.setFeature(
"http://xml.org/sax/features/external-general-entities";, false );
with this change, the xml document does not provoke an error, it just quietly
doesn't expand the &xxe entity, and the result of the entity references is an
empty string.
Good news! This may be progress.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
