xmlgraphics-batik-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53603] "XML External Entities" vulnerability
Date Fri, 27 Jul 2012 00:17:28 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603

--- Comment #2 from Thomas Deweese <deweese@apache.org> ---
I don't want to dismiss this out of hand but I'm not sure I agree that a
vulnerability really exists.

Given that Batik is more a toolkit than a finished product a lot more of the
responsibility for avoiding these issues falls on the users rather than the
library.  This more or less required given that it's impossible for us to know
ahead of time what parts of the system the batik libraries should be allowed to
access or not.

Please note that xxe.svg will fail if you use squiggle _and_ you fetch
'xxe.svg' from a server (I even tried variants like replacing etc/passwd with
file:///etc/passwd).

People using the rasterizer to rasterize random content from the web should be
more careful.  They can use Java's build in support for policy files to
restrict access to the file system.  I don't think it would be appropriate for
the toolkit to restrict this ahead of time since many legitimate uses may need
fairly wide access to the filesystem.  I checked and browsers seem to block all
access to the file system when loading a file from the disk even if it's
co-located.  That may make sense for a browser but I think would block many
legitimate uses of Batik.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org


Mime
View raw message