[jira] [Comment Edited] (TIKA-2081) Add back 'fileUrl' functionality to TikaJAXRS Server subject to security controls

Fri, 23 Sep 2016 07:04:49 -0700 

    [ 
https://issues.apache.org/jira/browse/TIKA-2081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15516538#comment-15516538
 ] 

Tim Allison edited comment on TIKA-2081 at 9/23/16 2:03 PM:
------------------------------------------------------------

I added fileUrl back.  I didn't add any unit tests. If anyone has an idea of 
how we can do those safely, let me know.

Following [~grossws]'s recommendation, the user has to include
{{\-\-enable-unsecure-features}} and {{\-\-enable-fileUrl}} on the commandline.

Warnings abound.  If anyone has a chance to review this commit, I'd appreciate 
it.  I really don't like not adding unit tests...


was (Author: [email protected]):
I added fileUrl back.  I didn't add any unit tests. If anyone has an idea of 
how we can do those safely, let me know.

Following [~grossws]'s recommendation, the user has to include
{{--enable-unsecure-features}} and {{--enable-fileUrl}} on the commandline.

Warnings abound.  If anyone has a chance to review this commit, I'd appreciate 
it.  I really don't like not adding unit tests...

> Add back 'fileUrl' functionality to TikaJAXRS Server subject to security 
> controls
> ---------------------------------------------------------------------------------
>
>                 Key: TIKA-2081
>                 URL: https://issues.apache.org/jira/browse/TIKA-2081
>             Project: Tika
>          Issue Type: Task
>          Components: server
>    Affects Versions: 1.13
>         Environment: All versions
>            Reporter: John Dougrez-Lewis
>            Assignee: Tim Allison
>            Priority: Minor
>              Labels: features, security
>             Fix For: 2.0, 1.14
>
>
> Add back 'fileUrl' functionality from version 1.9 to TikaJAXRS Server subject 
> to additional security controls:
> disable by default
> only enable if appropriate configuration flags are specified
> when enabled print warning displaying at least CVE ID: CVE-2015-3271.
> as discussed on [email protected] mailing list under title "Query on 
> correct use of 'fileUrl' in TikaJAXRS Server to extract document at remote 
> url - my request is not working".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to