[
https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14595196#comment-14595196
]
ASF subversion and git services commented on DERBY-6810:
--------------------------------------------------------
Commit 1686755 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1686755 ]
DERBY-6810: Add regression tests for XXE vulnerability
This change adjusts XMLXXETest.testDerby6807FileAccess() slightly so
that it doesn't add an extra File.separator, which appeared to throw
off the file: scheme parsing on Unix platforms and caused the test to
misbehave.
For me, the test now behaves as expected on both Windows and Linux.
This change also re-adds XMLXXEtest to XMLSuite so that it will get
run by the main Jenkins build scripts and we can see how it behaves
on those platforms.
> Add regression tests for XXE vulnerability
> ------------------------------------------
>
> Key: DERBY-6810
> URL: https://issues.apache.org/jira/browse/DERBY-6810
> Project: Derby
> Issue Type: Sub-task
> Reporter: Bryan Pendleton
> Assignee: Abhinav Gupta
> Attachments: billionLaughs.diff, error-stacktrace.out,
> readPasswordFile.diff
>
>
> We should add some regression tests demonstrating that
> Derby is no longer vulnerable to an XXE assault.
> One possibility would be to have a example using a local
> file disclosure.
> Another possibility would be to have example based on the
> well-known "Billion Laughs" denial of service attack.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
