Hi,
I’d like to get confirmation that we can backport Davide’s patches to control xml
entity expansion on the stable series
(e.g., https://github.com/geoserver/geoserver/pull/193)
The entity expansion thing introduces a couple of small API changes in terms
of extra methods in implementation classes (no interfaces) which makes it backwards
compatible.
If you want to read more about this kind of attacks, see here:
http://clawslab.nds.rub.de/wiki/index.php/XML_C14N_Entity_Expansion
Cheers
Andrea
–
==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it