#19286 closed defect (fixed)
[PATCH] External entities are resolved when parsing tagging presets
Reported by: | hiddewie | Owned by: | team |
---|---|---|---|
Priority: | normal | Milestone: | 20.06 |
Component: | Core | Version: | |
Keywords: | security external | Cc: |
Description
This problem can cause a security vulnerability if users use tagging presets from an untrusted source.
By having a preset installed that references an XML external entity, information from the local system may be disclosed. Also see https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing and https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html.
Also added some tests for the other (safe) XML utility methods that already worked safely.
Attachments (1)
Change History (3)
by , 4 years ago
comment:1 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:2 by , 4 years ago
Keywords: | security external added |
---|---|
Milestone: | → 20.06 |
In 16560/josm: