tballison commented on code in PR #2437: URL: https://github.com/apache/tika/pull/2437#discussion_r2606962398
########## tika-core/src/main/java/org/apache/tika/utils/XMLReaderUtils.java: ########## Review Comment: For defense in depth, you should also fix the IGNORING_STAX_ENTITY_RESOLVER: https://github.com/apache/tika/blob/main/tika-core/src/main/java/org/apache/tika/utils/XMLReaderUtils.java#L129 The crux of the vulnerability was that I relied on returning an empty string as the method of security here. Java didn't like the String that the XMLResolver returned and just silently ignored it and backed off to default behavior -- external entities, yeah, sounds great. Meanwhile, woodstox used the empty string as the entity, and the original method worked. :head-brick: -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
