From b70d400c719202a4966652c41e177dd23bcef86a Mon Sep 17 00:00:00 2001 From: Juergen Hoeller Date: Wed, 7 Mar 2018 16:54:04 +0100 Subject: [PATCH] Strong recommendation for OpenPDF 1.0.5 instead of iText 2.1.7 Issue: SPR-16107 --- .../servlet/view/document/AbstractPdfStamperView.java | 8 +++++--- .../web/servlet/view/document/AbstractPdfView.java | 8 +++++--- src/asciidoc/web-view.adoc | 10 +++++++++- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfStamperView.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfStamperView.java index 559745383f5..e786a73114c 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfStamperView.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfStamperView.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -33,9 +33,11 @@ import org.springframework.web.servlet.view.AbstractUrlBasedView; * will extend this class to merge the PDF form with model data. * *

This view implementation uses Bruno Lowagie's - * iText package. - * Known to work with iText 2.1.7 as well as its fork + * iText API. + * Known to work with the original iText 2.1.7 as well as its fork * OpenPDF. + * We strongly recommend OpenPDF since it is actively maintained + * and fixes an important vulnerability for untrusted PDF content. * *

Thanks to Bryant Larsen for the suggestion and the original prototype! * diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfView.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfView.java index f3baaae4ede..a7d0a9cb0bb 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfView.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/document/AbstractPdfView.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,9 +35,11 @@ import org.springframework.web.servlet.view.AbstractView; * not in a template. * *

This view implementation uses Bruno Lowagie's - * iText package. - * Known to work with iText 2.1.7 as well as its fork + * iText API. + * Known to work with the original iText 2.1.7 as well as its fork * OpenPDF. + * We strongly recommend OpenPDF since it is actively maintained + * and fixes an important vulnerability for untrusted PDF content. * *

Note: Internet Explorer requires a ".pdf" extension, as it doesn't * always respect the declared content type. diff --git a/src/asciidoc/web-view.adoc b/src/asciidoc/web-view.adoc index 54cfc47eb3b..5d5123305db 100644 --- a/src/asciidoc/web-view.adoc +++ b/src/asciidoc/web-view.adoc @@ -2066,7 +2066,15 @@ server with the correct content type to (hopefully) enable the client PC to run spreadsheet or PDF viewer application in response. In order to use Excel views, you need to add the Apache POI library to your classpath, -and for PDF generation, the common iText 2.1.7 or its fork OpenPDF (e.g. OpenPDF 1.0.4). +and for PDF generation preferably the OpenPDF library. + +[NOTE] +==== +Use the latest versions of the underlying document generation libraries if possible. +In particular, we strongly recommend OpenPDF (e.g. OpenPDF 1.0.5) instead of the +outdated original iText 2.1.7 since it is actively maintained and fixes an important +vulnerability for untrusted PDF content. +====