[Bug 65704] New: The class XmlUtil.java have XXE security issue

bugzilla Thu, 25 Nov 2021 01:05:04 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=65704


            Bug ID: 65704
           Summary: The class XmlUtil.java have XXE security issue
           Product: Taglibs
           Version: 1.2.5
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Unknown Taglib
          Assignee: dev@tomcat.apache.org
          Reporter: powercomt...@huawei.com
  Target Milestone: ---

Created attachment 38102
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38102&action=edit
source code

At the line 88, XML parser configured 'tf' does not prevent nor limit external
entities resolution. This can expose the parser to an XML External Entities
attack.Using XML parsers configured to not prevent nor limit external entities
resolution can expose the parser to an XML External Entities attack. For
example as below:

 tf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);

i think taglibs can add the above content first and parse the xml on next step,
it will be better. Thanks

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65704] New: The class XmlUtil.java have XXE security issue

Reply via email to