Lift 2.6.1: Security Release
·
1638 commits
to main
since this release
Lift 2.6 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.
Lift 2.6.1 introduces net.liftweb.util.Helpers.secureXML, an analogous object to
Scala's scala.xml.XML that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML, it is recommended that you switch to secureXML instead.
Lift 2.6.1 was rapidly superseded by Lift 2.6.2, which secures the secureXML
object against a few additional XML-based attacks.