/[Apache-SVN]
ViewVC logotype

Revision 1691461


Jump to revision: Previous Next
Author: bpendleton
Date: Fri Jul 17 00:13:38 2015 UTC (7 years, 10 months ago)
Changed paths: 2
Log Message:
DERBY-6807: XXE attack possible by using XmlVTI and the XML datatype


I believe that, when a Java Security Manager is in place, the XML Parser
instantiated by SqlXmlUtil obeys the policies defined by that security
manager, and hence is not vulnerable to XXE attacks (in the sense that
the only attacks that will succeed are those which are permitted by the
security policy).

But when a Java Security Manager is not in place, the SqlXmlUtil code
could be more secure.

This change modifies SqlXmlUtil so that it can detect that there is no
active Security Manager, and, if so, it now disables external entity
expansion and enables FEATURE_SECURE_PROCESSING.



Changed paths

Path Details
Directorydb/derby/code/trunk/java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java modified , text changed
Directorydb/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java modified , text changed

infrastructure at apache.org
ViewVC Help
Powered by ViewVC 1.1.26