[jira] [Commented] (DRILL-8461) Prevent XXE Attacks in XML Format Plugin

ASF GitHub Bot (Jira) Fri, 03 Nov 2023 07:25:08 -0700


    [ 
https://issues.apache.org/jira/browse/DRILL-8461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782586#comment-17782586
 ]


ASF GitHub Bot commented on DRILL-8461:
---------------------------------------

cgivre opened a new pull request, #2845:
URL: https://github.com/apache/drill/pull/2845

   # [DRILL-8461](https://issues.apache.org/jira/browse/DRILL-8461):  Prevent 
XXE Attacks in XML Format Plugin
   
   ## Description
   Drill's XML reader would allow a maliciously crafted XML file to perform an 
XML eXternal Entity injection (XXE)  attack.  This fix disables DTD parsing in 
the XML format plugin and prevents XXE attacks.
   
   ## Documentation
   No user facing changes.
   
   ## Testing
   Added unit test and tested manually.




> Prevent XXE Attacks in XML Format Plugin
> ----------------------------------------
>
>                 Key: DRILL-8461
>                 URL: https://issues.apache.org/jira/browse/DRILL-8461
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Format - XML
>    Affects Versions: 1.21.1
>            Reporter: Charles Givre
>            Assignee: Charles Givre
>            Priority: Critical
>             Fix For: 1.22.0
>
>
> Drill's XML reader would allow a maliciously crafted XML file to perform an 
> _XML eXternal Entity injection_ (XXE)  attack.  This fix disables DTD parsing 
> in the XML format plugin and prevents XXE attacks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (DRILL-8461) Prevent XXE Attacks in XML Format Plugin

Reply via email to