Bug 958727 - plexus-utils: XML generators should guard against problematic text strings
Summary: plexus-utils: XML generators should guard against problematic text strings
Alias: None
Product: Fedora
Classification: Fedora
Component: plexus-utils
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Mikolaj Izdebski
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 958220 1009413
TreeView+ depends on / blocked
Reported: 2013-05-02 10:07 UTC by Florian Weimer
Modified: 2016-05-09 04:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1009413 (view as bug list)
Last Closed: 2015-05-14 10:29:11 UTC
Type: Bug

Attachments (Terms of Use)

Description Florian Weimer 2013-05-02 10:07:27 UTC
org.codehaus.plexus.util.xml#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a "-->" sequence.  This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.

Comment 1 Florian Weimer 2013-05-02 11:29:01 UTC
Similarly, org.codehaus.plexus.util.xml.pull.MXSerializer should avoid XML injection throw comments, processing instructions, CDATA sections, etc.

Comment 2 Fedora End Of Life 2013-09-16 13:44:01 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:

Comment 3 Mikolaj Izdebski 2015-05-14 10:29:11 UTC
This is feature request and as such it has been forwarded upstream: http://jira.codehaus.org/browse/PLXUTILS-177

Comment 5 Mikolaj Izdebski 2016-05-09 04:28:46 UTC
Fixed in upstream version 3.0.24

Note You need to log in before you can comment on or make changes to this bug.