[jira] [Commented] (FREEMARKER-191) The class TaglibFactory.class may have XXE security issue

Jira Tue, 07 Sep 2021 11:17:05 -0700


    [ 
https://issues.apache.org/jira/browse/FREEMARKER-191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411405#comment-17411405
 ]


Dániel Dékány commented on FREEMARKER-191:
------------------------------------------

We have {{reader.setEntityResolver(new EmptyContentEntityResolver()); though}}. 
Is it still XXE-able?

> The class TaglibFactory.class may have XXE security issue
> ---------------------------------------------------------
>
>                 Key: FREEMARKER-191
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-191
>             Project: Apache Freemarker
>          Issue Type: Bug
>          Components: engine, jsp
>    Affects Versions: 2.3.31
>            Reporter: PowerCOM_STARWAR
>            Priority: Major
>         Attachments: TaglibFactory.java
>
>
> In the class  TaglibFactory, it provides the static method "parseXml" to 
> parse the inputstream,  but it does not set security head,for example as 
> below:
> xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
> true);
>  
> xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities";,
>  false);
>  
> xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, 
> false); 
> and then it may be attacked by XXE. So i think freemarker can add the above 
> content first and parse the xml on next step, it will be better. Thanks



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (FREEMARKER-191) The class TaglibFactory.class may have XXE security issue

Reply via email to