[jira] [Commented] (BATIK-1276) Allow blocking of external resources

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (BATIK-1276) Allow blocking of external resources

Carte Project (Jira)

    [ https://issues.apache.org/jira/browse/BATIK-1276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17038799#comment-17038799 ]

Ashish Chopra commented on BATIK-1276:
--------------------------------------

hi [~ssteiner], thanks for this issue!

In our project, we were made aware of this very [SSRF vulnerability|https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF] recently. We are currently on batik 1.12, but fixVersion of this JIRA is empty.
Given the fix exists in {{trunk}} already I'd expect next batik release to carry it - can you please let me know when is the next batik release (1.13 as I reckon) scheduled to be release?

> Allow blocking of external resources
> ------------------------------------
>
>                 Key: BATIK-1276
>                 URL: https://issues.apache.org/jira/browse/BATIK-1276
>             Project: Batik
>          Issue Type: Bug
>            Reporter: Simon Steiner
>            Assignee: Simon Steiner
>            Priority: Major
>         Attachments: test.svg
>
>
> java -cp batik/lib/*:batik/batik-1.13.0-SNAPSHOT/lib/batik-all-1.13.0-SNAPSHOT.jar org.apache.batik.apps.rasterizer.Main -scriptSecurityOff -blockExternalResources test.svg
>  
> Should stop xlink:href value being read



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]