Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Jody Garnett 
You are welcome to add one, the Hint DISABLE_EXTERNAL_ENTITIES is listed in
the javadoc for DocumentFactory linked above (and there are example of use
in the test cases).

Another approach is to look at the source code for
PreventLocalEntityResolver and make one that is even more restrictive.

Keep in mind that this is for one of our earlier XML parser which is now
pretty much only used by gt-wms. I already feel a bit uncomfortable
changing the default to use PreventLocalEntityResolver.

--
Jody Garnett

On 16 October 2016 at 16:33, Ben Caradoc-Davies  wrote:

> Jody,
>
> do we have an example of how to use Hints to prevent remote external
> entity resolution? This is another type of XXE vulnerability. Some users
> may wish to parse untrusted XML documents without the risk of, for example,
> triggering malicious REST calls against their internal network.
>
> Kind regards,
> Ben.
>
>
> On 17/10/16 07:53, Jody Garnett wrote:
>
>> Ben we prevent resolving to local files by default, but we so resolve to
>> external ones.
>> On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies 
>> wrote:
>>
>> Indeed, and thanks for the detailed docs.
>>>
>>> There are situations where XML external entity resolution is necessary;
>>> users must consider the vulnerabilities inherent in resolving XML
>>> external entities in untrusted documents. Disabling external entity
>>> resolution is a safe default.
>>>
>>> Kind regards,
>>> Ben.
>>>
>>> On 16/10/16 11:27, Jody Garnett wrote:
>>>
 Fair correction ben, but we do instructions for turning the security
 vulnerability back on :)

>>>
>>> --
>>> Ben Caradoc-Davies 
>>> Director
>>> Transient Software Limited 
>>> New Zealand
>>>
>>>
> --
> Ben Caradoc-Davies 
> Director
> Transient Software Limited 
> New Zealand
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Ben Caradoc-Davies 
Jody,

do we have an example of how to use Hints to prevent remote external 
entity resolution? This is another type of XXE vulnerability. Some users 
may wish to parse untrusted XML documents without the risk of, for 
example, triggering malicious REST calls against their internal network.

Kind regards,
Ben.

On 17/10/16 07:53, Jody Garnett wrote:
> Ben we prevent resolving to local files by default, but we so resolve to
> external ones.
> On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies  wrote:
>
>> Indeed, and thanks for the detailed docs.
>>
>> There are situations where XML external entity resolution is necessary;
>> users must consider the vulnerabilities inherent in resolving XML
>> external entities in untrusted documents. Disabling external entity
>> resolution is a safe default.
>>
>> Kind regards,
>> Ben.
>>
>> On 16/10/16 11:27, Jody Garnett wrote:
>>> Fair correction ben, but we do instructions for turning the security
>>> vulnerability back on :)
>>
>> --
>> Ben Caradoc-Davies 
>> Director
>> Transient Software Limited 
>> New Zealand
>>

-- 
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Jody Garnett 
Ben we prevent resolving to local files by default, but we so resolve to
external ones.
On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies  wrote:

> Indeed, and thanks for the detailed docs.
>
> There are situations where XML external entity resolution is necessary;
> users must consider the vulnerabilities inherent in resolving XML
> external entities in untrusted documents. Disabling external entity
> resolution is a safe default.
>
> Kind regards,
> Ben.
>
> On 16/10/16 11:27, Jody Garnett wrote:
> > Fair correction ben, but we do instructions for turning the security
> > vulnerability back on :)
>
> --
> Ben Caradoc-Davies 
> Director
> Transient Software Limited 
> New Zealand
>
-- 
--
Jody Garnett
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users