| Log Message: |
DERBY-6807: XXE attack possible by using XmlVTI and the XML datatype
I believe that, when a Java Security Manager is in place, the XML Parser
instantiated by SqlXmlUtil obeys the policies defined by that security
manager, and hence is not vulnerable to XXE attacks (in the sense that
the only attacks that will succeed are those which are permitted by the
security policy).
But when a Java Security Manager is not in place, the SqlXmlUtil code
could be more secure.
This change modifies SqlXmlUtil so that it can detect that there is no
active Security Manager, and, if so, it now disables external entity
expansion and enables FEATURE_SECURE_PROCESSING.
|