Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE

Dear PMC,

An XML External Entity Vulnerability (XXE) bug was identified in the Eclipse Platform (https://bugs.eclipse.org/bugs/show_bug.cgi?id=518031).  The Open Web Application Security Project (OWASP) has a page explaining the impacts of XXE vulnerabilities.

A fix has been released for Photon to configure the relevant locations that parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING` feature which disables requesting external DTDs and schemas and limits entity processing. The JRE requires that all parsers support the `XMLConstants.FEATURE_SECURE_PROCESSING` feature.

Given that the fix is small, and a malicious p2 site could be assembled to obtain the content of local files, I'd like to request that we backport and include this fix for Oxygen.1.


Brian.

Back to the top