Jody,

do we have an example of how to use Hints to prevent remote external 
entity resolution? This is another type of XXE vulnerability. Some users 
may wish to parse untrusted XML documents without the risk of, for 
example, triggering malicious REST calls against their internal network.

Kind regards,
Ben.

On 17/10/16 07:53, Jody Garnett wrote:
> Ben we prevent resolving to local files by default, but we so resolve to
> external ones.
> On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies <b...@transient.nz> wrote:
>
>> Indeed, and thanks for the detailed docs.
>>
>> There are situations where XML external entity resolution is necessary;
>> users must consider the vulnerabilities inherent in resolving XML
>> external entities in untrusted documents. Disabling external entity
>> resolution is a safe default.
>>
>> Kind regards,
>> Ben.
>>
>> On 16/10/16 11:27, Jody Garnett wrote:
>>> Fair correction ben, but we do instructions for turning the security
>>> vulnerability back on :)
>>
>> --
>> Ben Caradoc-Davies <b...@transient.nz>
>> Director
>> Transient Software Limited <http://transient.nz/>
>> New Zealand
>>

-- 
Ben Caradoc-Davies <b...@transient.nz>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Reply via email to