Lukasz Lenart created WW-5621:
---------------------------------
Summary: Harden XML parsers against Entity Expansion (Billion
Laughs) attacks
Key: WW-5621
URL: https://issues.apache.org/jira/browse/WW-5621
Project: Struts 2
Issue Type: Improvement
Components: Plugin - XSLT
Reporter: Lukasz Lenart
Fix For: 6.9.0, 7.2.0
Defense-in-depth hardening of XML parsers. Modern JDKs (7u45+) already enforce
a 64K entity expansion limit, so this is not an exploitable vulnerability — all
XML sources come from the classpath, not user input.
Changes:
- Remove unused {{parseStringAsXML}} feature from {{StringAdapter}} to
eliminate theoretical attack surface
- Deprecate {{getParseStringAsXML()}} / {{setParseStringAsXML()}} for future
removal
- Enable {{FEATURE_SECURE_PROCESSING}} in Tiles {{DigesterDefinitionsReader}}
- Add unit test verifying JDK entity expansion limit rejects Billion Laughs
payloads
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
