You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by "Ashish Chopra (Jira)" <ji...@apache.org> on 2020/02/18 06:03:00 UTC
[jira] [Commented] (BATIK-1276) Allow blocking of external
resources
[ https://issues.apache.org/jira/browse/BATIK-1276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17038799#comment-17038799 ]
Ashish Chopra commented on BATIK-1276:
--------------------------------------
hi [~ssteiner], thanks for this issue!
In our project, we were made aware of this very [SSRF vulnerability|https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF] recently. We are currently on batik 1.12, but fixVersion of this JIRA is empty.
Given the fix exists in {{trunk}} already I'd expect next batik release to carry it - can you please let me know when is the next batik release (1.13 as I reckon) scheduled to be release?
> Allow blocking of external resources
> ------------------------------------
>
> Key: BATIK-1276
> URL: https://issues.apache.org/jira/browse/BATIK-1276
> Project: Batik
> Issue Type: Bug
> Reporter: Simon Steiner
> Assignee: Simon Steiner
> Priority: Major
> Attachments: test.svg
>
>
> java -cp batik/lib/*:batik/batik-1.13.0-SNAPSHOT/lib/batik-all-1.13.0-SNAPSHOT.jar org.apache.batik.apps.rasterizer.Main -scriptSecurityOff -blockExternalResources test.svg
>
> Should stop xlink:href value being read
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org