https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
--- Comment #2 from Thomas Deweese <[email protected]> --- I don't want to dismiss this out of hand but I'm not sure I agree that a vulnerability really exists. Given that Batik is more a toolkit than a finished product a lot more of the responsibility for avoiding these issues falls on the users rather than the library. This more or less required given that it's impossible for us to know ahead of time what parts of the system the batik libraries should be allowed to access or not. Please note that xxe.svg will fail if you use squiggle _and_ you fetch 'xxe.svg' from a server (I even tried variants like replacing etc/passwd with file:///etc/passwd). People using the rasterizer to rasterize random content from the web should be more careful. They can use Java's build in support for policy files to restrict access to the file system. I don't think it would be appropriate for the toolkit to restrict this ahead of time since many legitimate uses may need fairly wide access to the filesystem. I checked and browsers seem to block all access to the file system when loading a file from the disk even if it's co-located. That may make sense for a browser but I think would block many legitimate uses of Batik. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
