bhmohanr-techie commented on PR #25: URL: https://github.com/apache/commons-jxpath/pull/25#issuecomment-1281939997
@garydgregory @markt-asf @jvz @kinow @Paradox98 Dear Apache JXPath Maintainers, I'm requesting your review for this PR #25 which will fix the recent reported vulnerability CVE-2022-41852. I have also raised a JIRA ticket for the same, [JXPATH-201](https://issues.apache.org/jira/browse/JXPATH-201) I also see one other PR raised for the same. The other PR #26 is raised on top of this PR raised by me, with one change that I have explained below. - **Fix in my PR #25 :** A new system property "jxpath.class.deny" is added, which can be used to specify the list of java classes that should be restricted by jxpath. With this approach, the existing jxpath users, who aren't affected by this vulnerability can continue to use jxpath without any need for this property. Only users affected by this vulnerability are required to set this property. **This ensures a smooth experience for existing users, as well as fixes the vulnerability for affected users.** - **Fix in other PR #26 :** This PR is raised on top of the code changes in my PR, just with one minor change. The system property is changed from deny list to allow list, which **will require all users of jxpath to configure the newly added system property (irrespective of whether the user is affected by this vulnerability), without which jxpath will no longer work for them**. Please review the approach in my PR #25 and let me know your thoughts. I'm open to any suggestions or feedback from you, Thankyou. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
