Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Batik version bump #801

Closed
wants to merge 1 commit into from
Closed

Batik version bump #801

wants to merge 1 commit into from

Conversation

KoenDG
Copy link
Contributor

@KoenDG KoenDG commented Aug 22, 2023

Compiled locally, so version 1.17 should be available.

3 security fixes:

https://issues.apache.org/jira/browse/BATIK-1349
https://issues.apache.org/jira/browse/BATIK-1347
https://issues.apache.org/jira/browse/BATIK-1346

Something about defining a list for running javascript and then disabling the previous default which allowed everything to run, without configuration.

@haraldk haraldk self-requested a review August 22, 2023 11:39
haraldk
haraldk reviewed Aug 22, 2023
View reviewed changes
Copy link
Owner

@haraldk haraldk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, the changes (in Batik) breaks the tests. Do you have time to look into it?

@KoenDG
Copy link
Contributor Author

KoenDG commented Aug 22, 2023

Just so we're on the same page: I don't actually work on batik. I had to ask something on the mailing list once and now I get these emails when a new release comes out.

I had a look, it looks like they reversed their policy on allowing external resources. You now need to explicitly allow it.

Which can be seen here: apache/xmlgraphics-batik@batik-1_16...1_17#diff-a09c2e890f1e06f62bf5aa58e89994fddb18d88e526a7bab80aef1d55af657d9

Apparently you need to set -allowExternalResources as a flag? But I don't see how.

Looks like the documentation isn't updated yet either: https://people.apache.org/~clay/batik/security.html

So yeah, no idea, sorry.

@haraldk
Copy link
Owner

haraldk commented Aug 23, 2023

No worries, I think I figured out how to pass my parameter on to Batik, to enable/disable the stricter check.

@haraldk
Copy link
Owner

haraldk commented Aug 23, 2023

Duplicate of #802

@haraldk haraldk marked this as a duplicate of #802 Aug 23, 2023
@haraldk haraldk closed this Aug 23, 2023
@KoenDG KoenDG deleted the batik_upgrade branch August 27, 2023 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haraldk haraldk haraldk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KoenDG @haraldk