Lift 3.0-M5: Security Snapshot Release
·
915 commits
to main
since this release
Lift 3.0-SNAPSHOT was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.
Lift 3.0-M5 introduces net.liftweb.util.Helpers.secureXML, an analogous object to
Scala's scala.xml.XML that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML, it is recommended that you switch to secureXML instead.
Lift 3.0-M5 was rapidly superseded by Lift 3.0-M5-1, which secures the secureXML
object against a few additional XML-based attacks.