commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernd Eckenfels (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (IO-474) veracode scan points cross site scripting vulnerability at org/.../commons/io/FileUtils.java 2095.
Date Fri, 03 Apr 2015 16:35:53 GMT

    [ https://issues.apache.org/jira/browse/IO-474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14394653#comment-14394653
] 

Bernd Eckenfels edited comment on IO-474 at 4/3/15 4:35 PM:
------------------------------------------------------------

This is a FileUtility which allows to write bytes to a file. This can certainly be used wrongly
in some conditions, but there is no inheritent security issue in this place. Especially not
related to XSS (as you would not use it for web pages anyway).

Besides that, it would be good to do some research before dumping all those veracode false
positives into the apache bug tracker :-/ (and 2.4 is recent)


was (Author: b.eckenfels):
This is a FileUtility which allows to write bytes to a file. This can certainly be used wrongly
in some conditions, but there is no inheritent security issue in this place. Especially not
related to XSS (as you would not use it for web pages anyway).

Besides that, it would be good to do some research before dumping all those veracode false
positives into the apache bug tracker :-/

>  veracode scan points cross site scripting vulnerability at org/.../commons/io/FileUtils.java
2095. 
> ----------------------------------------------------------------------------------------------------
>
>                 Key: IO-474
>                 URL: https://issues.apache.org/jira/browse/IO-474
>             Project: Commons IO
>          Issue Type: Bug
>    Affects Versions: 2.4
>         Environment: Linux
>            Reporter: Ananth 
>
> We use commons-io-2.4.jar. Recently our veracode scan points cross site scripting vulnerability
at org/.../commons/io/FileUtils.java 2095. Do we have a recent version that addresses this
issue



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message