Re: [csv] Does the library provide means to circumvent CSV injection
Hi guys, thanks for your reply. Maybe I'm misinterpreting something but I thought that it could be made possible to configure CSVFormat-object when writing the CSV data in a way that any data with possibly corrupting values (as shown on the OWASP page) will mask the whole contents of the cell. Thus a library such as commons-csv would be able to lower the risk for CSV injection and not every client/customer would have to manually create this protecting logic. To my mind it's a simple parser for "dangerous" tokens that quotes the given data with additional as we do not need to write functioning Excel formulas into CSV. WDYT? Cheers, Phil Am 10.11.21 um 20:53 schrieb Gary Gregory: > I agree with Matt. CSV is just a container, it doesn't know or care what > the concept of a "formula" is. > > Gary OpenPGP_signature Description: OpenPGP digital signature
[csv] Does the library provide means to circumvent CSV injection
Hi, I just stumbled upon https://owasp.org/www-community/attacks/CSV_Injection# and asked myself if CommonsCSV provides a means to circumvent these kind of attacks. If the library handles these special characters and prevents attacks from working it should be mentioned on the homepage. If it doesn't handle I'd like to know how customers/users prevent these kind of attacks. Maybe there's a working solution that can easily be integrated into CommonsCSV? Thanks, Phil OpenPGP_signature Description: OpenPGP digital signature
Re: [commons-cli] handling properties files as default . . .
Another way to help out (from the ASF universe) would be: https://tamaya.apache.org/ Have fun Phil Am 10.02.19 um 12:50 schrieb Gary Gregory: > It sounds like Commons Configuration would help as well. > > Gary > > On Sat, Feb 9, 2019, 20:34 Remko Popma >> I’m under the impression that Commons-CLI is not under active development >> any more (anyone on the list, feel free to correct me if I’m wrong). >> >> I would recommend that you take a look at picocli ( >> https://github.com/remkop/picocli). Disclosure: I’m the author.) >> >> Picocli has a pluggable default provider ( >> https://picocli.info/#_default_provider), so it should be fairly >> straightforward to implement what you describe. >> >> It also has other nice features that you might be interested in, like >> usage help with ANSI colors, autocompletion, support for subcommands and >> much more. >> >> Please take a look. >> Happy to help if any issues pop up. >> >> Remko. >> >> (Shameless plug) Every java main() method deserves http://picocli.info >> >>> On Feb 10, 2019, at 10:05, Albretch Mueller wrote: >>> >>> of course, the properties file would be the one describing the data, >>> even if the command line arguments would take precedence >>> >>> lbrtchx >>> >>> - >>> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org >>> For additional commands, e-mail: user-h...@commons.apache.org >>> >> > - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
Re: commons-imaging stability?
Am 25.01.19 um 23:47 schrieb Bruno P. Kinoshita: > If you intend to use Commons Imaging, it might be a good idea to wait for the > 1.0 release. Can't promise when I will have time to work on the release > again, but my plan is to have it released in February (or earlier). Otherwise > my next long window for OSS development would be April. > Other committers may step in and work on it before as well. If you have time > to help with the release, especially testing, that would be great too. +1 Thanks for a release with the current functionality. Cheers, Phil - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
Re: [lang3] Problem with the OSGi metadata: Bundle-SymbolicName / breaking change between 3.7 and 3.8
Hi, thanks for quick response ... Am 06.09.2018 um 21:24 schrieb Oliver Heger: > So opening a ticket in Jira would be the correct action to take. https://issues.apache.org/jira/browse/LANG-1419 Done :-) Hopefully I didn't miss any important stuff in Jira. Cheers, Phil - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
[imaging] Is it possible to release the current version as a release candidate from ASF
Hi, while going away from Sanselan https://mvnrepository.com/artifact/org.apache.sanselan/sanselan/0.97-incubator to https://mvnrepository.com/artifact/org.apache.commons/commons-imaging I'm unable to find an official release version. This hinders adoption in Travis as SNAPSHOT references happen not to work all the time. Is it possible to do a release of the current version - if it's not a 1.0.0 I'd be glad with a 0.9.8 from apache/in maven central. What do you think? Thanks, Phil - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
[lang3] Problem with the OSGi metadata: Bundle-SymbolicName / breaking change between 3.7 and 3.8
Hi, I've just stumbled upon a problem that prevents me from updating from 3.7 to 3.8 in an OSGi context. Although the release has just been a patch one, the bundle's symbolic name changed from "Bundle-SymbolicName org.apache.commons.lang3" in 3.7.0 to "Bundle-SymbolicName org.apache.commons.commons-lang3" in 3.8.0. That makes it impossible to do a drop-in update, as it is a breaking change. Is that change an error in 3.8.0 or a wanted one that could be communicated more directly to downstream users? May I file a bugticket in the LANG-Jira for it? I assume there has been a hickup when building the OSGi release JAR and the change was not intended. Thanks, Phil - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
