<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>This is a very good point.</p>
<p>Something like this should be added to the DOMConfigurator class:<br>
</p>
<blockquote>
<p>dbf <span class="pl-k">=</span> <span class="pl-smi">DocumentBuilderFactory</span><span
class="pl-k">.</span><span class="pl-token">newInstance</span>();<br>
dbf <span class="pl-k"></span>.setFeature(<a class="moz-txt-link-rfc2396E" href="http://apache.org/xml/features/nonvalidating/load-dtd-grammar">"http://apache.org/xml/features/nonvalidating/load-dtd-grammar"</a>,
false);<br>
dbf <span class="pl-k"></span>.setFeature(<a class="moz-txt-link-rfc2396E" href="http://apache.org/xml/features/nonvalidating/load-external-dtd">"http://apache.org/xml/features/nonvalidating/load-external-dtd"</a>,
false);</p>
</blockquote>
<p>/Robert<br>
</p>
<pre class="moz-signature" cols="72">_______________________________________
Robert Olofsson, Sweden
<a class="moz-txt-link-freetext" href="http://www.unlogic.se">http://www.unlogic.se</a>
</pre>
<div class="moz-cite-prefix">Den 2022-01-24 kl. 14:31, skrev Bernd
Eckenfels:<br>
</div>
<blockquote type="cite"
cite="mid:AM9P193MB114212CA63BE00EB45F8507BFF5E9@AM9P193MB1142.EURP193.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr" style="">
<div>
<div>Thanks a lot for forking the project.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">I noticed there is another known “open issue”
which has no CVE assigned, but given that the other CVEs
expect untrusted config entries, it might be in scope as
well?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Apache claims that the XML parser is vulnerable
to external includes (xxe, billion laughters, ssrf). Should
we enable secure processing and restrict remote protocols?
If so.. should we do it unconditional or with a system
property in case someone used really an external entity?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">From the website:</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">
<h2 style="padding: 4px 4px 4px 6px; border: 1px solid
rgb(153, 153, 153); font-weight: 900; font-size: x-large;
font-family: Verdana, Helvetica, Arial, sans-serif; color:
rgb(153, 0, 0); background-color: rgb(221, 221, 221);">
Other issues of note</h2>
<p
style="line-height:1.3em;font-size:small;caret-color:rgb(0,
0, 0);font-family:Verdana, Helvetica, Arial, sans-serif">
Log4j 1 doesn't restrict DTD entities in log4j.xml. Users
should be careful to ensure any entities specified are
correct and secure.</p>
<br style="caret-color:rgb(0, 0, 0)">
<br>
</div>
<div dir="ltr">BTW I mentioned on Twitter the RedHat
backports, it looks like all of them are addressed in
reload4j (some slightly different), they can be seen here
for example <a
href="https://git.centos.org/rpms/log4j/commits/c7"
moz-do-not-send="true" class="moz-txt-link-freetext">https://git.centos.org/rpms/log4j/commits/c7</a></div>
<div id="ms-outlook-mobile-signature">
<div style="direction:ltr">-- </div>
<div style="direction:ltr"><a class="moz-txt-link-freetext" href="http://bernd.eckenfels.net">http://bernd.eckenfels.net</a></div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
reload4j mailing list
<a class="moz-txt-link-abbreviated" href="mailto:reload4j@qos.ch">reload4j@qos.ch</a>
<a class="moz-txt-link-freetext" href="http://mailman.qos.ch/cgi-bin/mailman/listinfo/reload4j">http://mailman.qos.ch/cgi-bin/mailman/listinfo/reload4j</a>
</pre>
</blockquote>
</body>
</html>