https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
Helder Magalhães <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|SVG DOM |Web Site Severity|major |minor --- Comment #4 from Helder Magalhães <[email protected]> --- (In reply to comment #3) > I agree with Thomas. I agree with Thomas and Jeremias as well. > However, it might be a good idea to write some documentation about it so > users are reminded to secure their applications. Decreasing severity and moving this to the "Web Site" component, more in the sense of "Documentation" (which doesn't exist); "javadoc" alone doesn't feel right as well: I'd say that these sort of reminders belong to a higher level than Javadoc, although probably something might be done in code documentation as well. (In reply to comment #0) > During visualization with Squiggle or rasterization via the CLI tool, XML > external entities defined in the DTD are dereferenced and the content of the > target file is included in the output. > > The impact of this vulnerability range form denial of service to file > disclosure. Under Windows, it can also be used to steal LM/NTLM hashes. First of all, thanks for the report! Thomas has provided a good insight about this potential issue in comment #2. Based in the feedback and in a few performed tests, I'd say the example provided is roughly equivalent to an ECMAScript getURL fetching the "/etc/passwd" (using the "file" protocol). If you still believe this can be considered a security issue then please adjust the priority accordingly. In any case, elaborating a bit longer would help - for further understanding what can be involved or (simply) to serve as base for the documentation improvements. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
