Restrict protocols that can be used when creating a project from a URL #4918
Labels
fetch urls
About fetching URLs in a project
import
About importers in general - add a label for the data format if available
vulnerability
Security vulnerability which needs fixing
We use Java's
URLConnection
to download the content of a file when creating a project from a URL.This class supports various protocols, some of which can cause the software to execute user-supplied code when fetching the resource. This is potentially a vulnerability in situations where OpenRefine is hosted (which we do not officially support).
We should therefore restrict the set of protocols that can be used in this feature, for instance to
http
,https
,ftp
andsftp
.The text was updated successfully, but these errors were encountered: