Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#34] Make setFeature calls optional #56

Merged
merged 1 commit into from Nov 21, 2022
Merged

[#34] Make setFeature calls optional #56

merged 1 commit into from Nov 21, 2022

Conversation

ppkarwasz
Copy link
Contributor

IMHO a missing DocumentBuilderFactory.setFeature() method or support for disabling external entities should not cause a parsing error, just warnings.

@ppkarwasz
[qos-ch#34] Make setFeature calls optional
48f892b 
IMHO a missing `setFeature()` method or support for disabling external
entities should not cause a parsing error, just warnings.

Signed-off-by: Piotr P. Karwasz <piotr.github@karwasz.org>
@ceki ceki merged commit 9a029af into qos-ch:master Nov 21, 2022
ceki added a commit that referenced this pull request Nov 21, 2022
@ceki
Revert "Merge pull request #56 from ppkarwasz/master"
05f811c 
This reverts commit 9a029af, reversing
changes made to fb382fd.
@ceki
Copy link
Member

ceki commented Nov 21, 2022
edited

@ppkarwasz While I have great respect for your abilities, I had to revert this change as it potentially opens the code for a vulnerability, however unlikely. In case of doubt, I prefer to err on the side of caution.

I understand that this might seem silly given that the code in question, if it throws an exception, then the underlying SAX implementation will probably not honor the setFeature calls. However, it seems preferable to let the users know about it instead of trying to compensate for it.

@ppkarwasz
Copy link
Contributor Author

@ceki,

Since you are ultimately responsible for the security of Reload4j, I completely understand your point of view.

This PR was motivated by this question on StackOverflow, although I never asked the user for more details and the user in question never filed a bug report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ppkarwasz @ceki