Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cometvisu] Add more path checks and secure against XXE attacks #2696

Merged
merged 6 commits into from
Aug 8, 2024

Conversation

peuter
Copy link
Member

@peuter peuter commented Aug 5, 2024

also deny external xml schema loading (avoid XXE attacks)

peuter added 4 commits August 5, 2024 17:21
Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
@kaikreuzer
Copy link
Member

Please also adapt the title and description of this PR to provide some more details - thanks!

@kaikreuzer
Copy link
Member

@peuter Please also note that there is a new comment on the advisory.
I'd love to do a 4.2.x patch release by Friday - it would thus be great if we could settle everything by tomorrow.

@peuter peuter changed the title [cometvisu] more security related fixes [cometvisu] add more path checks Aug 7, 2024
peuter added 2 commits August 7, 2024 17:24
Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
Copy link
Member

@kaikreuzer kaikreuzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@kaikreuzer kaikreuzer merged commit 5e53b21 into openhab:main Aug 8, 2024
5 checks passed
@kaikreuzer kaikreuzer changed the title [cometvisu] add more path checks [cometvisu] Add more path checks and secure against XXE attacks Aug 8, 2024
@kaikreuzer kaikreuzer added this to the 4.3 milestone Aug 8, 2024
@kaikreuzer kaikreuzer added the enhancement New feature or request label Aug 8, 2024
kaikreuzer pushed a commit to kaikreuzer/openhab-webui that referenced this pull request Aug 8, 2024
also deny external xml schema loading (avoid XXE attacks)

Signed-off-by: Tobias Bräutigam <tbraeutigam@gmail.com>
@kaikreuzer kaikreuzer added patch A PR that has been cherry-picked to a patch release branch bug Something isn't working and removed enhancement New feature or request labels Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working patch A PR that has been cherry-picked to a patch release branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants