Re: Vulnerabilties in FontTools & FontForge

Re: Vulnerabilties in FontTools & FontForge

Open Source Security [[{„value“:“

Posted by Hanno Böck on Mar 08

Hi,

I was surprised that any library would do this by default in 2024.
According to their webpage, lxml does *not* enable external entity
expansion by default, but changed the default only very recently.

https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint
says:
“ Since version 5.x, lxml disables the expansion of external entities
(XXE) by default. If you really want to allow loading external files
into XML documents…
„}]] Read More 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert