Hi.
Velocity Tools 3.x doesn't use dom4j anymore, only the standard
javax.xml API. And external DTDs are already disallowed, see XmlUtils
<https://github.com/apache/velocity-tools/blob/422ed611f6d425e9f3143edc7061a1e6c846457c/velocity-tools-generic/src/main/java/org/apache/velocity/tools/XmlUtils.java#L129>
source code.
Regards,
Claude
On 20-12-03 14 h 19, Christian Esken wrote:
Hello,
when reading CVE-2020-10683 I wondered whether Velocity is vulnerable
to using external DTD's. CVE-2020-10683 marks dom4j as vulnerable, and
dom4j is used by velocity-tools (at least version 2.x, but in general
any XML parser supporting DTDs is vulnerable). If it is vulnerable, is
there a way to configure it to not be vulnerable? I found no way to
configure velocity-tools to not read external DTD's. If using dom4j
myself I would usually write code like this:
DocumentBuilderFactory factory = ...;
factory.setValidating(false);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
What do you think? Any advice is appreciated,
Christian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
