Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE

Dear PMC,

An XML External Entity Vulnerability (XXE) bug was identified in the Eclipse Platform (  The Open Web Application Security Project (OWASP) has a page explaining the impacts of XXE vulnerabilities.

A fix has been released for Photon to configure the relevant locations that parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING` feature which disables requesting external DTDs and schemas and limits entity processing. The JRE requires that all parsers support the `XMLConstants.FEATURE_SECURE_PROCESSING` feature.

Given that the fix is small, and a malicious p2 site could be assembled to obtain the content of local files, I'd like to request that we backport and include this fix for Oxygen.1.


Back to the top