You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by Christian Esken <c2...@arcor.de> on 2020/12/03 13:19:38 UTC
Use of external DTDs - CVE-2020-10683
Hello,
when reading CVE-2020-10683 I wondered whether Velocity is vulnerable to
using external DTD's. CVE-2020-10683 marks dom4j as vulnerable, and
dom4j is used by velocity-tools (at least version 2.x, but in general
any XML parser supporting DTDs is vulnerable). If it is vulnerable, is
there a way to configure it to not be vulnerable? I found no way to
configure velocity-tools to not read external DTD's. If using dom4j
myself I would usually write code like this:
DocumentBuilderFactory factory = ...;
factory.setValidating(false);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
What do you think? Any advice is appreciated,
Christian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
Re: Use of external DTDs - CVE-2020-10683
Posted by Christian Esken <c2...@arcor.de>.
Thanks for the information. It confirms what I hoped and expected. Good
to see safe defaults are in use. :-)
In the meantime I also checked velocity-tools 2.x, and as far as I see
it also disables DTDs: XMLTool uses a default SAXReader, which has both
internal and external DTDs disabled.
Regards,
Christian
Am 2020-12-03 15:50, schrieb Claude Brisson:
> Hi.
>
> Velocity Tools 3.x doesn't use dom4j anymore, only the standard
> javax.xml API. And external DTDs are already disallowed, see XmlUtils
> <https://github.com/apache/velocity-tools/blob/422ed611f6d425e9f3143edc7061a1e6c846457c/velocity-tools-generic/src/main/java/org/apache/velocity/tools/XmlUtils.java#L129>
> source code.
>
> Regards,
>
> Claude
>
> On 20-12-03 14 h 19, Christian Esken wrote:
>> Hello,
>>
>> when reading CVE-2020-10683 I wondered whether Velocity is vulnerable
>> to using external DTD's. CVE-2020-10683 marks dom4j as vulnerable, and
>> dom4j is used by velocity-tools (at least version 2.x, but in general
>> any XML parser supporting DTDs is vulnerable). If it is vulnerable, is
>> there a way to configure it to not be vulnerable? I found no way to
>> configure velocity-tools to not read external DTD's. If using dom4j
>> myself I would usually write code like this:
>>
>> DocumentBuilderFactory factory = ...;
>> factory.setValidating(false);
>> factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
>>
>> What do you think? Any advice is appreciated,
>> Christian
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
>> For additional commands, e-mail: dev-help@velocity.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
Re: Use of external DTDs - CVE-2020-10683
Posted by Claude Brisson <cl...@renegat.net.INVALID>.
Hi.
Velocity Tools 3.x doesn't use dom4j anymore, only the standard
javax.xml API. And external DTDs are already disallowed, see XmlUtils
<https://github.com/apache/velocity-tools/blob/422ed611f6d425e9f3143edc7061a1e6c846457c/velocity-tools-generic/src/main/java/org/apache/velocity/tools/XmlUtils.java#L129>
source code.
Regards,
Claude
On 20-12-03 14 h 19, Christian Esken wrote:
> Hello,
>
> when reading CVE-2020-10683 I wondered whether Velocity is vulnerable
> to using external DTD's. CVE-2020-10683 marks dom4j as vulnerable, and
> dom4j is used by velocity-tools (at least version 2.x, but in general
> any XML parser supporting DTDs is vulnerable). If it is vulnerable, is
> there a way to configure it to not be vulnerable? I found no way to
> configure velocity-tools to not read external DTD's. If using dom4j
> myself I would usually write code like this:
>
> DocumentBuilderFactory factory = ...;
> factory.setValidating(false);
> factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
>
> What do you think? Any advice is appreciated,
> Christian
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
> For additional commands, e-mail: dev-help@velocity.apache.org
>