Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Jody Garnett
You are welcome to add one, the Hint DISABLE_EXTERNAL_ENTITIES is listed in the javadoc for DocumentFactory linked above (and there are example of use in the test cases). Another approach is to look at the source code for PreventLocalEntityResolver and make one that is even more restrictive. Keep

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Ben Caradoc-Davies
Jody, do we have an example of how to use Hints to prevent remote external entity resolution? This is another type of XXE vulnerability. Some users may wish to parse untrusted XML documents without the risk of, for example, triggering malicious REST calls against their internal network. Kind r

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-16 Thread Jody Garnett
Ben we prevent resolving to local files by default, but we so resolve to external ones. On Sat, Oct 15, 2016 at 5:46 PM Ben Caradoc-Davies wrote: > Indeed, and thanks for the detailed docs. > > There are situations where XML external entity resolution is necessary; > users must consider the vulne

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Ben Caradoc-Davies
Indeed, and thanks for the detailed docs. There are situations where XML external entity resolution is necessary; users must consider the vulnerabilities inherent in resolving XML external entities in untrusted documents. Disabling external entity resolution is a safe default. Kind regards, Be

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Jody Garnett
Fair correction ben, but we do instructions for turning the security vulnerability back on :) -- Jody Garnett On 15 October 2016 at 17:23, Ben Caradoc-Davies wrote: > This release includes a *fix* for a security vulnerability, I think. ;-) > > Kind regards, > Ben. > > On 16/10/16 11:14, Jody G

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Ben Caradoc-Davies
This release includes a *fix* for a security vulnerability, I think. ;-) Kind regards, Ben. On 16/10/16 11:14, Jody Garnett wrote: > As noted this release includes a security vulnerability, the user guide > link is > http://docs.geotools.org/latest/userguide/library/metadata/geotools.html#xml >

Re: [Geotools-gt2-users] GeoTools 15.2 released

2016-10-15 Thread Jody Garnett
As noted this release includes a security vulnerability, the user guide link is http://docs.geotools.org/latest/userguide/library/metadata/geotools.html#xml New hints are available for use with DocumentFactory and t