Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-647

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part II

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.3.2.Final
    • Component/s: jaxrs
    • Labels:
      None
    • Environment:

      ALL

    • Estimated Difficulty:
      Medium

      Description

      For description, see RESTEASY-637. I fixed the problem for org.w3c.dom.Document inputs, but not for JAXB XML inputs.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            ron_sigal Ron Sigal added a comment -

            Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.

            Show
            ron_sigal Ron Sigal added a comment - Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.
            Hide
            ron_sigal Ron Sigal added a comment -

            I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659, so I am closing this issue.

            Show
            ron_sigal Ron Sigal added a comment - I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659 , so I am closing this issue.
            Hide
            adkathuria anuj kathuria added a comment -

            Ron, we tested this fix for JAXB. It works fine. Thank you for the fix.
            When are you expecting to release 2.3.2, so that we can start using it?

            Show
            adkathuria anuj kathuria added a comment - Ron, we tested this fix for JAXB. It works fine. Thank you for the fix. When are you expecting to release 2.3.2, so that we can start using it?
            Hide
            ron_sigal Ron Sigal added a comment -

            Hi Anuj,

            Thanks for the good news. I believe there will be a release in the next couple of days.

            -Ron

            Show
            ron_sigal Ron Sigal added a comment - Hi Anuj, Thanks for the good news. I believe there will be a release in the next couple of days. -Ron
            Hide
            ron_sigal Ron Sigal added a comment -

            I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.

            Show
            ron_sigal Ron Sigal added a comment - I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.

              People

              • Assignee:
                ron_sigal Ron Sigal
                Reporter:
                adkathuria anuj kathuria
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development