[
https://issues.apache.org/jira/browse/FREEMARKER-191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411825#comment-17411825
]
Dániel Dékány commented on FREEMARKER-191:
------------------------------------------
I guess the motivation of EmptyContentEntityResolver was simply to prevent the
application to try to load external resources because of schema/DTD URL-s.
Accessing the Internet like that is almost always blocked on servers, and so
will cause the application to fail (and if not, then it will be still
slow/fragile). However, accidentally or not, it also blocks XXE, as far as I
see right now.
> The class TaglibFactory.class may have XXE security issue
> ---------------------------------------------------------
>
> Key: FREEMARKER-191
> URL: https://issues.apache.org/jira/browse/FREEMARKER-191
> Project: Apache Freemarker
> Issue Type: Bug
> Components: engine, jsp
> Affects Versions: 2.3.31
> Reporter: PowerCOM_STARWAR
> Priority: Major
> Attachments: TaglibFactory.java
>
>
> In the class TaglibFactory, it provides the static method "parseXml" to
> parse the inputstream, but it does not set security head,for example as
> below:
> xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
> true);
>
> xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
>
> xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
> and then it may be attacked by XXE. So i think freemarker can add the above
> content first and parse the xml on next step, it will be better. Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
