commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Lothian" <nick.loth...@gmail.com>
Subject [feedparser] Security patch
Date Wed, 11 Oct 2006 05:50:57 GMT
Hi,

I'm a developer on the ROME RSS/Atom parser project
(http://rome.dev.java.net/). We were recently notified of a possible
security issue in our code
(http://www.somebits.com/weblog/tech/bad/xmlCode.html), which we've
fixed.

I'm aware that FeedParser is a dormant project, but the attached patch
will fix the same problem in the Apache-Commons project version.

I've also attached updated FeedParserImpl.java suitable for using with
Kevin's TailRank version (http://tailrank.com/code.php) (Hi Kevin!)

SAXBuilder.java is needed for both versions.

There is also an example RSS file which triggers the bug. (You'll need
some kind of monitoring tool to check for connections to example.com
on port 80).

Hopefully someone will find these useful.

Regards
  Nick Lothian
  nlothian@apache.org

Mime
View raw message