RESTEasy
  1. RESTEasy
  2. RESTEASY-647

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part II

    Details

    • Type: Bug Bug
    • Status: Closed (View Workflow)
    • Priority: Critical Critical
    • Resolution: Done
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.3.2.Final
    • Component/s: jaxrs
    • Labels:
      None
    • Environment:
      ALL
    • Estimated Difficulty:
      Medium
    • Similar Issues:
      Show 9 results 

      Description

      For description, see RESTEASY-637. I fixed the problem for org.w3c.dom.Document inputs, but not for JAXB XML inputs.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Ron Sigal added a comment -

            Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.

            Show
            Ron Sigal added a comment - Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.
            Hide
            Ron Sigal added a comment -

            I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659, so I am closing this issue.

            Show
            Ron Sigal added a comment - I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659 , so I am closing this issue.
            Hide
            anuj kathuria added a comment -

            Ron, we tested this fix for JAXB. It works fine. Thank you for the fix.
            When are you expecting to release 2.3.2, so that we can start using it?

            Show
            anuj kathuria added a comment - Ron, we tested this fix for JAXB. It works fine. Thank you for the fix. When are you expecting to release 2.3.2, so that we can start using it?
            Hide
            Ron Sigal added a comment -

            Hi Anuj,

            Thanks for the good news. I believe there will be a release in the next couple of days.

            -Ron

            Show
            Ron Sigal added a comment - Hi Anuj, Thanks for the good news. I believe there will be a release in the next couple of days. -Ron
            Hide
            Ron Sigal added a comment -

            I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.

            Show
            Ron Sigal added a comment - I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.

              People

              • Assignee:
                Ron Sigal
                Reporter:
                anuj kathuria
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development