Replace iText 2.1.7 dependency with OpenPDF 1.0.5 [SPR-16352]

[spring-projects-issues]

Andreas Røsdal opened SPR-16352 and commented

I propose to replace the iText 2.1.7 dependency in Spring (spring-webmvc) with OpenPDF 1.0.5. OpenPDF is a maintained fork of iText 4.x which still has a LGPL license. The project is maintained on GitHub: https://github.com/librepdf/openpdf

These are some references to iText 2.1.7 in Spring:
https://github.com/spring-projects/spring-framework/blob/master/spring-webmvc/spring-webmvc.gradle
https://github.com/spring-projects/spring-framework/search?utf8=%E2%9C%93&q=itext&type=

Project GitHub page:
https://github.com/librepdf/openpdf

OpenPDF contains a fix for CVE-2017-9096 iText XML External Entity Vulnerability
LibrePDF/OpenPDF#56
This sercurity vulerability has not been fixed in iText 2.1.7, since it is no longer maintained.

---

Issue Links:

• Compatibility with OpenPDF as alternative to iText 2.1.7 [SPR-16107] #20655 Compatibility with OpenPDF as alternative to iText 2.1.7

Referenced from: commits 7a55d93

[spring-projects-issues]

Juergen Hoeller commented

We have asserted compatibility with OpenPDF in #20655 already. For the time being, we simply didn't replace the dependency because it is optional anyway, and our reference API for compilation purposes is still iText itself.

Point taken, for guidance purposes, we could update even our optional dependency to a current version of OpenPDF. We'll consider that for Spring Framework 5.0.3 which is the release that goes into Spring Boot 2.0 RC1.