You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2022/10/18 11:48:56 UTC

[GitHub] [commons-jxpath] markt-asf commented on pull request #25: Fix for Issue: CVE-2022-41852

markt-asf commented on PR #25:
URL: https://github.com/apache/commons-jxpath/pull/25#issuecomment-1282259720

   Please note it is highly likely that all the CVEs issued by Google / oss-fuzz for JXPath without consultation with the ASF and in breach of the rules for CNAs will be resolved as invalid.
   
   Separately, if JXPath opts to provide a feature or features to support users who wish to process untrusted input without validation or sanitisation then a deny list would never be acceptable. A possible approach would be an allow list that defaults to everything that users could then narrow if they wish.
   
   For the avoidance of doubt, my current position is that JXPath is intended to be used with trusted input. I haven't performed an in-depth review of JXPath, so if anyone is aware of reasons why JXPath should be expected to handle untrusted input safely, please speak up.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org