Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace unsupported XML properties with feature-based security settings #939

Merged
merged 1 commit into from
Oct 25, 2024
Merged

Replace unsupported XML properties with feature-based security settings #939

merged 1 commit into from
Oct 25, 2024

Conversation

mholthausen
Copy link
Member

Description

This PR improves the XML parser security configuration in OgcXmlUtil by replacing unsupported properties with feature-based settings. The previous configuration attempted to set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA, which were not recognized by the current XML parser, causing errors in certain environments.

Changes

  • Removed ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA properties due to compatibility issues.
  • Enabled FEATURE_SECURE_PROCESSING for safer XML parsing.
  • Added feature-based settings to:
    • Disallow DOCTYPE declarations (disallow-doctype-decl)
    • Disable external general entities (external-general-entities)
    • Disable external parameter entities (external-parameter-entities)

@terrestris/devs please review

Related issues or pull requests

Replaces part of the previous PR #931 to handle unsupported XML property errors more effectively

Pull request type

  • Bugfix
  • Feature
  • Dependency updates
  • Tests
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe)

Do you introduce a breaking change?

  • Yes
  • No

Checklist

  • I understand and agree that the changes in this PR will be licensed under the
    Apache Licence Version 2.0.
  • I have followed the guidelines for contributing.
  • The proposed change fits to the content of the code of conduct.
  • I have added or updated tests and documentation, and the test suite passes (run mvn test locally).
  • I have added a screenshot/screencast to illustrate the visual output of my update.

jansule
jansule approved these changes Oct 25, 2024
View reviewed changes
Copy link
Member

@jansule jansule left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@mholthausen mholthausen merged commit a9cb08e into main Oct 25, 2024
4 checks passed
@github-actions GitHub Actions
Copy link
Contributor

🎉 This PR is included in version 21.1.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jansule jansule jansule approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mholthausen @jansule