Loading...

XML

Word

Printable

Details

Type: Bug Report
Resolution: Fixed
Priority: L3 - Default
Fix Version/s: 7.7.11, 7.10.0, 7.9.7, 7.8.13, 7.10.0-alpha6
Affects Version/s: 7.10.0-alpha3, 7.10.0-alpha4
Component/s: engine
Labels:
- SUPPORT

Description

When a deployed BPMN XML contains a reference to an external entity

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ 
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:camunda="http://activiti.org/bpmn" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd" id="_r7y_gEa-EeO5NO3lqhkDkg" targetNamespace="http://activiti.org/bpmn">
    <!-- [...] -->
    <bpmn2:outgoing>&xxe;</bpmn2:outgoing>
    <!-- [..] -->

then engine tries to fetch the external entity.

AT:

there exists a configuration option to disable this behavior

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

People

Assignee:: Yana Vasileva

Reporter:: Roman Smirnov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 23/Aug/18 11:03 AM

Updated:: 11/Jun/19 4:00 PM

Resolved:: 02/Nov/18 9:27 AM

Prevention of External Entity Processing

Details

Description

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

People

Dates

Salesforce