[ https://issues.apache.org/jira/browse/DERBY-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Pendleton reopened DERBY-6810: ------------------------------------ After further study, I realize that the new tests in XMLXXETest exercise the built-in Derby XML datatype, but do not exercise the XmlVTI. Since the XmlVTI also creates a XML Parser and calls it, it may also be vulnerable to XXE attacks, and so we need to test it, as well. Re-opening the issue because we have more tests to write. > Add regression tests for XXE vulnerability > ------------------------------------------ > > Key: DERBY-6810 > URL: https://issues.apache.org/jira/browse/DERBY-6810 > Project: Derby > Issue Type: Sub-task > Reporter: Bryan Pendleton > Assignee: Abhinav Gupta > Attachments: billionLaughs.diff, readPasswordFile.diff > > > We should add some regression tests demonstrating that > Derby is no longer vulnerable to an XXE assault. > One possibility would be to have a example using a local > file disclosure. > Another possibility would be to have example based on the > well-known "Billion Laughs" denial of service attack. -- This message was sent by Atlassian JIRA (v6.3.4#6332)