[jira] [Comment Edited] (CAMEL-8312) XML External Entity (XXE) injection in XPath

Sun, 01 Mar 2015 23:07:58 -0800 

    [ 
https://issues.apache.org/jira/browse/CAMEL-8312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14342817#comment-14342817
 ] 

Stephan Siano edited comment on CAMEL-8312 at 3/2/15 7:06 AM:
--------------------------------------------------------------

Hi Claus,

are you sure that you want to delay this till 2.15.0? An unpatched XXE 
injection vulnerability is actually a security issue that should be patched 
ASAP.

I think this issue (and CAMEL-8311) are about as serious as the ones in 
CVE-2014-0002 and CVE-2014-0003.

Best regards
Stephan


was (Author: siano):
Hi Claus,

are you sure that you want to delay this till 2.15.0? An unpatched XXE 
injection vulnerability is actually a security issue that should be patched 
ASAP.

Best regards
Stephan

> XML External Entity (XXE) injection in XPath
> --------------------------------------------
>
>                 Key: CAMEL-8312
>                 URL: https://issues.apache.org/jira/browse/CAMEL-8312
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>    Affects Versions: 2.13.3, 2.14.1
>            Reporter: Stephan Siano
>            Assignee: Claus Ibsen
>             Fix For: 2.15.0
>
>         Attachments: 
> 0001-CAMEL-8312-XXE-vulnerability-in-XPath-evaluator.patch
>
>
> If the documentType of an XPath expression is set to a class for that no type 
> converter exists and the data to which the expression is applied is of type 
> WrappedFile or String the XPath will seem to work anyway. However this setup 
> will make the scenario susceptible to XXE injection attacks (because the 
> InputSource created from the String or Generic file will be parsed by a 
> default parser within the XPath evaluation and the XXE will succeed.
> Even worse, if the documentType is Document (the default) and the DOM parsing 
> fails because the document is invalid and contains an XXE injection this will 
> allow DOS attacks on the system.
> The two unit tests contained in the patch show these two use cases (and throw 
> a FileNotFoundException on an unchanged XPath builder).
> As a side effect the Exception in the XPathFeatureTest.testXPath changes 
> (because initially there are errors during type conversion and during XPath 
> evaluation whereas after the patch processing is stopped after the type 
> conversion error).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to