RESTEasy
  1. RESTEasy
  2. RESTEASY-647

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part II

    Details

    • Type: Bug Bug
    • Status: Closed Closed (View Workflow)
    • Priority: Critical Critical
    • Resolution: Done
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.3.2.Final
    • Component/s: jaxrs
    • Labels:
      None
    • Environment:
      ALL
    • Estimated Difficulty:
      Medium
    • Similar Issues:
      Show 10 results 

      Description

      For description, see RESTEASY-637. I fixed the problem for org.w3c.dom.Document inputs, but not for JAXB XML inputs.

        Issue Links

          Activity

          Hide
          Ron Sigal
          added a comment -

          Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.

          Show
          Ron Sigal
          added a comment - Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.
          Hide
          Ron Sigal
          added a comment -

          I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659, so I am closing this issue.

          Show
          Ron Sigal
          added a comment - I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659 , so I am closing this issue.
          Hide
          anuj kathuria
          added a comment -

          Ron, we tested this fix for JAXB. It works fine. Thank you for the fix.
          When are you expecting to release 2.3.2, so that we can start using it?

          Show
          anuj kathuria
          added a comment - Ron, we tested this fix for JAXB. It works fine. Thank you for the fix. When are you expecting to release 2.3.2, so that we can start using it?
          Hide
          Ron Sigal
          added a comment -

          Hi Anuj,

          Thanks for the good news. I believe there will be a release in the next couple of days.

          -Ron

          Show
          Ron Sigal
          added a comment - Hi Anuj, Thanks for the good news. I believe there will be a release in the next couple of days. -Ron
          Hide
          Ron Sigal
          added a comment -

          I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.

          Show
          Ron Sigal
          added a comment - I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.

            People

            • Assignee:
              Ron Sigal
              Reporter:
              anuj kathuria
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: