Hello Kang Hou et al, Thanks for your patience on this issue. After some discussion and consideration, we have decided not to treat this behavior as a security vulnerability.
The problem you describe only arises when untrusted input is passed to Commons Text. Because Commons Text is a low-level library, it is the responsibility the application that integrates Commons Text to make sure input passed to this API is either trusted or sanitized. At the same time, since we've seen people 'in the wild' fail to sanitize input, the project might be open to improvements where we make more of the interpolator features opt-in. If you would be interested in exploring such a contribution, we encourage you to continue participating in the project on our public channels, such as the issue tracker and mailing lists you already found. Kind regards, Arnout Engelen ASF Security On Tue, Oct 18, 2022 at 6:32 AM Kang Hou <hou14...@gmail.com> wrote: > > ++user@commons.apache.org > > Hi team > > I added Commons Security List to this email thread. > > Please do not omit this issue. I noticed someone has already published this > security vulnerability to the JIRA public channel > (https://issues.apache.org/jira/projects/TEXT/issues/TEXT-220?filter=allopenissues) > The issues in this email thread cover one more vuln like XXE than the public > post. > > Please respond to me if you confirmed this issue I reported is a security > vulnerability or not. > Thank you! > > Waiting for your reply. > > Best Regards, > backcover7 & et5 > > > On Thu, Oct 13, 2022 at 10:06 PM Kang Hou <hou14...@gmail.com> wrote: >> >> ++ et5@Uber >> >> Hi team >> >> I added et5 from Uber in this thread. >> Please take a look at my reports about the security flaws. Waiting for your >> reply. Thank you! >> >> Best Regards, >> backcover7 & et5 >> >> >> ---------- Forwarded message --------- >> From: Kang Hou <hou14...@gmail.com> >> Date: Thu, Oct 13, 2022 at 10:03 AM >> Subject: Security Vulnerability in XmlStringLookup and FileStringLookup >> To: <secur...@commons.apache.org> >> >> >> Hi team >> >> I just found a new security vulnerability regarding the Interpolator Lookup >> in Apache Commons Text. >> There are two functions that are affected in this report, including >> XmlStringLookup and FileStringLookup. >> >> I have already attached the report and the screenshot with details to this >> email. Please take a look to see if they are needed to be fixed. >> >> Please assign a CVE to the following two who found the security bug together. >> >> backcover7 from Salesforce >> et5 from Uber >> >> >> Best Regards, >> backcover7 & et5 --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
