Hello,
when reading CVE-2020-10683 I wondered whether Velocity is vulnerable to
using external DTD's. CVE-2020-10683 marks dom4j as vulnerable, and
dom4j is used by velocity-tools (at least version 2.x, but in general
any XML parser supporting DTDs is vulnerable). If it is vulnerable, is
there a way to configure it to not be vulnerable? I found no way to
configure velocity-tools to not read external DTD's. If using dom4j
myself I would usually write code like this:
DocumentBuilderFactory factory = ...;
factory.setValidating(false);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
What do you think? Any advice is appreciated,
Christian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
