[jira] [Updated] (CAMEL-8312) XML External Entity (XXE) issue in XPath

Tue, 03 Mar 2015 12:56:22 -0800 

     [ 
https://issues.apache.org/jira/browse/CAMEL-8312?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christian Müller updated CAMEL-8312:
------------------------------------
    Description: If the documentType of an XPath expression is set to a class 
for that no type converter exists and the data to which the expression is 
applied is of type WrappedFile or String the XPath will seem to work anyway. 
However this setup will create issues by using an InputSource created from the 
String or Generic file.  (was: If the documentType of an XPath expression is 
set to a class for that no type converter exists and the data to which the 
expression is applied is of type WrappedFile or String the XPath will seem to 
work anyway. However this setup will make the scenario susceptible to XXE 
injection attacks (because the InputSource created from the String or Generic 
file will be parsed by a default parser within the XPath evaluation and the XXE 
will succeed.

Even worse, if the documentType is Document (the default) and the DOM parsing 
fails because the document is invalid and contains an XXE injection this will 
allow DOS attacks on the system.

The two unit tests contained in the patch show these two use cases (and throw a 
FileNotFoundException on an unchanged XPath builder).

As a side effect the Exception in the XPathFeatureTest.testXPath changes 
(because initially there are errors during type conversion and during XPath 
evaluation whereas after the patch processing is stopped after the type 
conversion error).)

> XML External Entity (XXE) issue in XPath
> ----------------------------------------
>
>                 Key: CAMEL-8312
>                 URL: https://issues.apache.org/jira/browse/CAMEL-8312
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>    Affects Versions: 2.13.3, 2.14.1
>            Reporter: Stephan Siano
>            Assignee: Claus Ibsen
>             Fix For: 2.13.4, 2.14.3, 2.15.0
>
>
> If the documentType of an XPath expression is set to a class for that no type 
> converter exists and the data to which the expression is applied is of type 
> WrappedFile or String the XPath will seem to work anyway. However this setup 
> will create issues by using an InputSource created from the String or Generic 
> file.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to