[
https://issues.apache.org/jira/browse/HDFS-16766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17609872#comment-17609872
]
ASF GitHub Bot commented on HDFS-16766:
---------------------------------------
ashutoshcipher commented on PR #4886:
URL: https://github.com/apache/hadoop/pull/4886#issuecomment-1259095425
Thanks @aajisaka for reviewing and merging.
> XML External Entity (XXE) attacks can occur while processing XML received
> from an untrusted source
> --------------------------------------------------------------------------------------------------
>
> Key: HDFS-16766
> URL: https://issues.apache.org/jira/browse/HDFS-16766
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.4
> Reporter: Jing
> Assignee: Ashutosh Gupta
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.9, 3.2.5
>
>
> XML External Entity (XXE) attacks can occur when an XML parser supports XML
> entities while processing XML received from an untrusted source. The attack
> resides in XML input containing references to an external entity an is parsed
> by the weakly configured javax.xml.parsers.DocumentBuilder XML parser.
>
> https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java#L93
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
