Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-8461

Prevent XXE Attacks in XML Format Plugin

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.21.1
    • 1.21.2
    • Format - XML
    • None

    Description

      Drill's XML reader would allow a maliciously crafted XML file to perform an XML eXternal Entity injection (XXE)  attack.  This fix disables DTD parsing in the XML format plugin and prevents XXE attacks.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            cgivre Charles Givre
            cgivre Charles Givre
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment