build with -DBanAllEntityUsage=1 ?
Added by Rex Dieter over 5 years ago
Per
https://bugzilla.redhat.com/show_bug.cgi?id=888769
A fellow fedora contributor recommended that I build exiv2 with -DBanAllEntityUsage=1 due to XML entity expansion ("billion laughs attack")
Any comment or feedback on doing that by default here upstream?
Secondarily, any possibility of someday using https://libopenraw.freedesktop.org/wiki/Exempi/ instead of bundling a copy of this library code?
Replies (2)
RE: build with -DBanAllEntityUsage=1 ? - Added by Robin Mills over 5 years ago
Rex
Can you please be a little more expansive. What problem is being solved with -DBanAllEntityUsage=1?
We don't have any plan to build with exempi. We'd like to upgrade to the latest Adobe's XMPsdk and use it as an external library #941. Currently, we have a modified copy in our code base of Adobe's XMPsdk from a few years back.
You are of course welcome to join the Exiv2 project to work on our XMP support.
RE: build with -DBanAllEntityUsage=1 ? - Added by Rex Dieter over 5 years ago
More references on Xml entity expansion issue (from googling mostly):
https://en.wikipedia.org/wiki/Billion_laughs
https://cytinus.wordpress.com/2011/07/26/37/
One admittedly brute-force method to avoid the issue to do build this code with -DBanAllEntityUsage=1 (sorry my prior typo)