|[eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE|
An XML External Entity Vulnerability (XXE) bug was identified in the Eclipse Platform (https://bugs.eclipse.org/bugs/show_bug.cgi?id=518031). The Open Web Application Security Project (OWASP) has a page explaining the impacts of XXE vulnerabilities.
A fix has been released for Photon to configure the relevant locations that parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING` feature which disables requesting external DTDs and schemas and limits entity processing. The JRE requires that all parsers support the `XMLConstants.FEATURE_SECURE_PROCESSING` feature.
Given that the fix is small, and a malicious p2 site could be assembled to obtain the content of local files, I'd like to request that we backport and include this fix for Oxygen.1.
Back to the top