[
https://issues.apache.org/jira/browse/ACCUMULO-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15734365#comment-15734365
]
Christopher Tubbs commented on ACCUMULO-4534:
---------------------------------------------
Sure thing. I offered my comments on the PR.
> Remove XML external entity issue in RestoreZooKeeper
> ----------------------------------------------------
>
> Key: ACCUMULO-4534
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4534
> Project: Accumulo
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 1.7.3, 1.8.1, 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There appears to be an issue in RestoreZooKeeper in which the tool may, with
> specially crafted XML, load external files on the system. I'm not going the
> normal vulnerability route with this because the command is executed by a
> user on an XML file they provide (so, the vector is that you attacked
> yourself out of ignorance).
> However, it would still be good to remove this as a possibility since it's
> very simple. This was found by a static analysis tool.
> For more info,
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
> is a good writeup.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
