[FREEMARKER-191] The class TaglibFactory.class may have XXE security issue - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Invalid
Affects Version/s: 2.3.31
Fix Version/s: None
Component/s: engine, jsp
Labels:
None

Language:
- Java

Description

In the class TaglibFactory, it provides the static method "parseXml" to parse the inputstream, but it does not set security head,for example as below:

xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);

and then it may be attacked by XXE. So i think freemarker can add the above content first and parse the xml on next step, it will be better. Thanks

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

TaglibFactory.java
07/Sep/21 13:04
82 kB
PowerCOM_STARWAR

Activity

People

Assignee:: Unassigned

Reporter:: PowerCOM_STARWAR

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/Sep/21 13:12

Updated:: 17/Feb/22 08:16

Resolved:: 17/Feb/22 08:16