PowerCOM_STARWAR created FREEMARKER-191:
-------------------------------------------
Summary: The class TaglibFactory.class has XXE security issue
Key: FREEMARKER-191
URL: https://issues.apache.org/jira/browse/FREEMARKER-191
Project: Apache Freemarker
Issue Type: Bug
Components: engine, jsp
Affects Versions: 2.3.31
Reporter: PowerCOM_STARWAR
Attachments: TaglibFactory.java
In the class TaglibFactory, it provides the static method "parseXml" to parse
the inputstream, but it does not set security head,for example as below:
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
and then it may be attacked by XXE. So i think freemarker can add the above
content first and parse the xml on next step, it will be better. Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
