Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Project handling is susceptible to XXE #71
Describe the bug
The same concept works with archived projects (.gar files) too.
Environment (please complete the following information):
Out of curiosity: are you sure there is a config fix for this? I.e. can external entity processing be disabled globally for JDOM/SAXBuilder? I was under the impression you have to turn it off for every SAXBuilder instance individually. If there is no global way, please make sure to fix this everywhere, because this issue is not restricted to projects; e.g. Tool import is also affected.
Unfortunately, no. Since our source repo is not yet published, there is no commit to link to. Additionally, the commit history up to the source release will not likely be present.