Skip to content

XXE security issue using the XML provider #1286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
thboileau opened this issue Sep 27, 2017 · 2 comments
Closed

XXE security issue using the XML provider #1286

thboileau opened this issue Sep 27, 2017 · 2 comments
Assignees
@thboileau
Labels
Priority: blocking State: new Version: 2.3

Comments

@thboileau
Copy link
Contributor

thboileau commented Sep 27, 2017
edited by quilicicf
Loading

No description provided.

@thboileau thboileau self-assigned this Sep 27, 2017
@thboileau
Copy link
Contributor Author

thboileau commented Sep 27, 2017
edited
Loading

We have an issue with the Xml parser that leverages simple xml framework.
The author of the library has been contacted.
If nothing can be done quickly, we may have to turn the ability to parser XML off, at least for a while.

Here is a way to fix the issue with DOM parser: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

@thboileau
Copy link
Contributor Author

more details coming on https://lgtm.com/blog/

thboileau added a commit that referenced this issue Sep 28, 2017
@thboileau
XEE injection security fix in Jax-rs extension. Issue #1286. Reported…
09545f2 
… by Man Yue Mo.
thboileau added a commit that referenced this issue Sep 28, 2017
@thboileau
Merge pull request #1287 from restlet/2.3.11_xee_security_issue_in_ja…
7c26367 
…xrs_extension

XEE injection security fix in Jax-rs extension. Issue #1286. Reported…
thboileau added a commit that referenced this issue Sep 28, 2017
@thboileau
XEE injection security fix in Jax-rs extension. Issue #1286. Reported…
72e6ceb 
… by Man Yue Mo.
thboileau added a commit that referenced this issue Oct 5, 2017
@thboileau
XEE injection security fix in Jax-rs extension. Issue #1286. Reported…
67f0889 
… by Man Yue Mo.
thboileau added a commit that referenced this issue Oct 5, 2017
@thboileau
XEE injection security fix in Jax-rs extension. Issue #1286. Reported…
87d4326 
… by Man Yue Mo.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thboileau thboileau

Labels
Priority: blocking State: new Version: 2.3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thboileau