Disable external entities resolution in the default XML parser to prevent XXE attacks

Description

The default behavior of Java XML parsers is to happily resolve external XML entities, which exposes any application that processes unsecured XMLs to XXE vulnerabilities.

By default data.xml should initialize the XML parses with disabled XXE processing.

Environment

None

Attachments

27 Aug 2014, 10:12 PM

Activity

Show:

Carlo SciollaSeptember 28, 2014 at 5:51 PM

Great, thanks!

Ryan SeniorSeptember 28, 2014 at 1:23 PM

Patch looks good, I've applied it. Thanks Carlo

Completed

Details
Assignee
Ryan Senior
Reporter
Carlo Sciolla
Labels
security
Patch
Code and Test
Priority
Critical

Created August 27, 2014 at 10:12 PM

Updated September 28, 2014 at 5:51 PM

Resolved September 28, 2014 at 5:51 PM

Disable external entities resolution in the default XML parser to prevent XXE attacks

Description

Environment

Attachments

Activity

Carlo SciollaSeptember 28, 2014 at 5:51 PM

Ryan SeniorSeptember 28, 2014 at 1:23 PM

Details
Assignee
Ryan Senior
Reporter
Carlo Sciolla
Labels
security
Patch
Code and Test
Priority
Critical

Details

Assignee

Reporter

Labels

Patch

Priority

Flag notifications

Something's gone wrong

Disable external entities resolution in the default XML parser to prevent XXE attacks

Description

Environment

Attachments

Activity

Carlo SciollaSeptember 28, 2014 at 5:51 PM

Ryan SeniorSeptember 28, 2014 at 1:23 PM

DetailsAssigneeRyan SeniorRyan SeniorReporterCarlo SciollaCarlo SciollaLabelssecurityPatchCode and TestPriorityCritical

Details

Assignee

Reporter

Labels

Patch

Priority

Flag notifications

Something's gone wrong

Details
Assignee
Ryan Senior
Reporter
Carlo Sciolla
Labels
security
Patch
Code and Test
Priority
Critical