Jody, do we have an example of how to use Hints to prevent remote external entity resolution? This is another type of XXE vulnerability. Some users may wish to parse untrusted XML documents without the risk of, for example, triggering malicious REST calls against their internal network.
Kind regards, Ben. On 17/10/16 07:53, Jody Garnett wrote: > Ben we prevent resolving to local files by default, but we so resolve to > external ones. > On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies <b...@transient.nz> wrote: > >> Indeed, and thanks for the detailed docs. >> >> There are situations where XML external entity resolution is necessary; >> users must consider the vulnerabilities inherent in resolving XML >> external entities in untrusted documents. Disabling external entity >> resolution is a safe default. >> >> Kind regards, >> Ben. >> >> On 16/10/16 11:27, Jody Garnett wrote: >>> Fair correction ben, but we do instructions for turning the security >>> vulnerability back on :) >> >> -- >> Ben Caradoc-Davies <b...@transient.nz> >> Director >> Transient Software Limited <http://transient.nz/> >> New Zealand >> -- Ben Caradoc-Davies <b...@transient.nz> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
