Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There should not be insecure usage of XSL processors in deegree3. #1682

Closed
c1gar opened this issue Apr 26, 2024 · 0 comments · Fixed by #1685
Closed

There should not be insecure usage of XSL processors in deegree3. #1682

c1gar opened this issue Apr 26, 2024 · 0 comments · Fixed by #1685
Labels
TMC discussion to be discussed by technical management committee members

Comments

@c1gar
Copy link

c1gar commented Apr 26, 2024

In the latest version of deegree3, the file org.deegree.commons.xml.XsltUtils.java contains XSLT functionality no security parameters were added. This is highly risky, as XSLT vulnerabilities could lead to RCE, file reading, and other vulnerabilities. It is advisable to add security parameters, such as factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true).
@tfr42 tfr42 added the TMC discussion to be discussed by technical management committee members label May 8, 2024
@copierrj copierrj mentioned this issue May 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TMC discussion to be discussed by technical management committee members
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable FEATURE_SECURE_PROCESSING copierrj/deegree3
2 participants
@tfr42 @c1gar