Lift 3.0-M4: Security Milestone Release
·
1076 commits
to main
since this release
Lift 3.0-M3 was found to be vulnerable to XML External Entity attacks,
which can leak private files through your application when parsing certain
types of XML.
Lift 3.0-M4 introduces net.liftweb.util.Helpers.secureXML, an analogous object to
Scala's scala.xml.XML that is secured against XXE attacks by disabling external
entities in doctypes. If you are parsing untrusted user-provided XML using
scala.xml.XML, it is recommended that you switch to secureXML instead.
Lift 3.0-M4 was rapidly superseded by Lift 3.0-M4-1, which secures the secureXML
object against a few additional XML-based attacks.