You are viewing a plain text version of this content. The canonical link for it is here.

Posted to batik-dev@xmlgraphics.apache.org by "Simon Steiner (Jira)" <ji...@apache.org> on 2022/09/22 12:10:00 UTC

[jira] [Updated] (BATIK-1333) Block external resource before calling fop

     [ https://issues.apache.org/jira/browse/BATIK-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Simon Steiner updated BATIK-1333:
---------------------------------
    Description: 
We should block external resource before fop is called

        PDFTranscoder transcoder = new PDFTranscoder();
        TranscoderInput xIn = new TranscoderInput(new FileInputStream("test.svg"));
        TranscoderOutput xOut = new TranscoderOutput(new ByteArrayOutputStream());
        transcoder.addTranscodingHint(PDFTranscoder.KEY_AUTO_FONTS, false);
        transcoder.addTranscodingHint(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, false);
        transcoder.transcode(xIn, xOut);

CVE-2022-38648

  was:
We should block external resource before fop is called

        PDFTranscoder transcoder = new PDFTranscoder();
        TranscoderInput xIn = new TranscoderInput(new FileInputStream("test.svg"));
        TranscoderOutput xOut = new TranscoderOutput(new ByteArrayOutputStream());
        transcoder.addTranscodingHint(PDFTranscoder.KEY_AUTO_FONTS, false);
        transcoder.addTranscodingHint(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, false);
        transcoder.transcode(xIn, xOut);


> Block external resource before calling fop
> ------------------------------------------
>
>                 Key: BATIK-1333
>                 URL: https://issues.apache.org/jira/browse/BATIK-1333
>             Project: Batik
>          Issue Type: Bug
>            Reporter: Simon Steiner
>            Assignee: Simon Steiner
>            Priority: Major
>             Fix For: 1.15
>
>         Attachments: test.svg
>
>
> We should block external resource before fop is called
>         PDFTranscoder transcoder = new PDFTranscoder();
>         TranscoderInput xIn = new TranscoderInput(new FileInputStream("test.svg"));
>         TranscoderOutput xOut = new TranscoderOutput(new ByteArrayOutputStream());
>         transcoder.addTranscodingHint(PDFTranscoder.KEY_AUTO_FONTS, false);
>         transcoder.addTranscodingHint(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, false);
>         transcoder.transcode(xIn, xOut);
> CVE-2022-38648



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org