-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
WTP - Ignore external URIs by default #369
Conversation
@nedtwigg Let me know when you released the new version and I shall integrate it. Or feel ree to do the integration yourself. |
This looks great! Release is on the way.. |
ext-eclipse-wtp 3.9.8 is now available on mavencentral |
Released in 3.20.0 / 1.20.0 |
@fvgh Should I open an upstream issue with the Eclipse organization about this? |
@JLLeitschuh As stated in this PR description, I don't see that the Eclipse behaviour is a problem for an IDE, but I admit that it is unexpected for Spotless users and a problem for a build tool. |
Switch to Eclipse-WTP 3.10. Cleanup fix for #369. Add SLF4J support.
Actually, it is. Maliciously compromising was one of the major discoveries of the Checkpoint team in their ParseDroid Vulnerability.
|
Sorry @JLLeitschuh , as I stressed in #358:
Its the question what you consider a security problem. If you consider the increase of an attack vector a security problem, yes allowing to process data obtained via HTTP is a problem. Let's just agree to disagree 😉 ... But don't get me wrong: I appreciate very much that you highlighted the topic that the user is probably not aware that DTD/XSDs are automatically downloaded. I am afraid I was already too used to this behaviour and catalogue usage... |
@fvgh Thanks for your professional discourse about this and for fixing the issue. I'll take care of reaching out to the Eclipse security team and see what they have to say. Again, thank you so much for your hard work on this! |
Eclipse WTP XML formatter resolves automatically external URIs. URIs that cannot be accessed are ignored. If the referenced external DTD/XSD contains formatting instructions, the formatter results differs depending whether the URI is reachable or not.
This is not appropriate behaviour for Spotless, since it is e.g. used for continuous integration testing.
Normally all external URIs shall be included in a XML catalog during build.
But many users may not be aware that the XML formatter uses the DTDs and XSDs specified in an XML in the first place.
To prevent an spotlessCheck error due failure accessing an external DTD/XSD, the Spotless default behaviour has been changed, to ignore external URIs per default.