[
https://issues.apache.org/jira/browse/BATIK-1276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17038799#comment-17038799 ]
Ashish Chopra commented on BATIK-1276:
--------------------------------------
hi [~ssteiner], thanks for this issue!
In our project, we were made aware of this very [SSRF vulnerability|
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF] recently. We are currently on batik 1.12, but fixVersion of this JIRA is empty.
Given the fix exists in {{trunk}} already I'd expect next batik release to carry it - can you please let me know when is the next batik release (1.13 as I reckon) scheduled to be release?
> Allow blocking of external resources
> ------------------------------------
>
> Key: BATIK-1276
> URL:
https://issues.apache.org/jira/browse/BATIK-1276> Project: Batik
> Issue Type: Bug
> Reporter: Simon Steiner
> Assignee: Simon Steiner
> Priority: Major
> Attachments: test.svg
>
>
> java -cp batik/lib/*:batik/batik-1.13.0-SNAPSHOT/lib/batik-all-1.13.0-SNAPSHOT.jar org.apache.batik.apps.rasterizer.Main -scriptSecurityOff -blockExternalResources test.svg
>
> Should stop xlink:href value being read
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail:
[hidden email]
For additional commands, e-mail:
[hidden email]
Locked
