Thanks for creating this library, so far it seems very useful for generating documents!
I would like to address the following security issue, by default, version 6.0.1 is configured with a hard coded URL to a REST endpoint that allows you to convert your documents into PDF documents. If the "docx4j-export-fo" library is not available in your class path, then this REST endpoint is automatically used for generating PDF documents. This can really be an undesired effect if the developer is not aware that this is happening. I'm referring to the following code:
Docx4j.java:700:
- Code: Select all
if (pdfViaFO()) {
FOSettings settings = createFOSettings();
settings.setWmlPackage(wmlPackage);
settings.setApacheFopMime("application/pdf");
toFO(settings, outputStream, FLAG_NONE);
} else {
// Configure this property to point to your own Converter instance.
String URL = Docx4jProperties.getProperty("com.plutext.converter.URL", "http://converter-eval.plutext.com:80/v1/00000000-0000-0000-0000-000000000000/convert");
If this endpoint would accidentally be used and the documents that are generated contain any personal information, then this would be an official data leak, according to the General Data Protection Regulation in the European union. May I recommend removing the default URL to enforce the user to specifically configure the use of this endpoint?
The workaround to prevent this behavior from happening is including the "docx4j-export-fo"-library and overriding the "com.plutext.converter.URL" property to connect to a fake url pointing to localhost, just to make sure this URL won't be called in case something accidentally gets mis configured. But any modifications in future versions could still result in accidentally using this end-point.
Looking forward to hear your opinion on this matter.
Kind regards,
Guido
News
Site map
SitemapIndex
RSS Feed