Skip to content

Lift 3.0-M4-1: Security Milestone Release

Compare
Choose a tag to compare
@Shadowfiend Shadowfiend released this 19 Apr 19:42
· 980 commits to main since this release

Lift 3.0-M3 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML. In the process of communicating the vulnerability to Typesafe,
they referred us to a more-restricted version of XML parsing used to prevent
additional vulnerabilities like the billion laughs vulnerability and its sibling
quadratic blowup vulnerability.

Lift 3.0-M4 fixed the XXE attacks, but Lift 3.0-M4-1 was released to shore up the
additional vulnerabilities we were made aware of. This is done by disabling
inline DTDs altogether. We also enable secure processing, which adds restrictions
to supporting parsers to prevent denial-of-service style attacks on XML parsing.
Anyone who switched to use net.liftweb.util.Helpers.secureXML will automatically
get these additional protections.

To do this, Lift 3.0-M4-1 depends on Apache Xerces version 2.11. Some concerns
have been brought up about this additional dependency and how it may interact
with other XML parsing that may occur in the application; please provide feedback
on the mailing list if you run into any issues related to this new dependency.