[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bryan Pendleton updated DERBY-6810:
-----------------------------------
Attachment: error-stacktrace.out
Attached is the error I get when running XMLXXETest on Linux. I see:
Caused by: java.net.UnknownHostException: home
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
at java.net.Socket.connect(Socket.java:589)
at java.net.Socket.connect(Socket.java:538)
at sun.net.ftp.impl.FtpClient.doConnect(FtpClient.java:957)
at sun.net.ftp.impl.FtpClient.tryConnect(FtpClient.java:917)
at sun.net.ftp.impl.FtpClient.connect(FtpClient.java:1012)
at sun.net.ftp.impl.FtpClient.connect(FtpClient.java:998)
at
sun.net.www.protocol.ftp.FtpURLConnection.connect(FtpURLConnection.java:294)
at
sun.net.www.protocol.ftp.FtpURLConnection.getInputStream(FtpURLConnection.java:393)
at
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:622)
Which suggests that the format of the URL in the XML document isn't quite what
we intend it to be.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, error-stacktrace.out,
> readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
