Skip Menu |
 

This queue is for tickets about the XML-LibXML CPAN distribution.

Report information
The Basics
Id: 118032
Status: open
Priority: 0/
Queue: XML-LibXML

People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc: CARNIL [...] cpan.org
AdminCc:

Bug Information
Severity: (no value)
Broken in: 2.0128
Fixed in: (no value)

Attachments
0001-Do-not-enable-expanding-entities-by-default.patch



Subject: External entities are parsed by default
Download (untitled) / with headers
text/plain 626b
$XML::LibXML::XML_LIBXML_PARSE_DEFAULTS is set to XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT. That overrides libxml2 default behavior that stopped processing external entities by default many years ago <https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f> because it could leak data from a local file system or a local network. This XML-LibXML issue was reported to Debian <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097> and to Fedora <https://bugzilla.redhat.com/show_bug.cgi?id=1377996>. Would it be possible to change XML-LibXML default behavior in similar way?
From: ppisar [...] redhat.com
Download (untitled) / with headers
text/plain 472b
Dne Čt 22.zář.2016 07:44:39, ppisar napsal(a): Show quoted text
> $XML::LibXML::XML_LIBXML_PARSE_DEFAULTS is set to XML_PARSE_NODICT | > XML_PARSE_DTDLOAD | XML_PARSE_NOENT. That overrides libxml2 default > behavior that stopped processing external entities by default
Attached patch disables expanding entities. Maybe XML_PARSE_DTDLOAD should be disables also. Or maybe one should define a default ext_ent_handler that always. That could preserve ability to expand internal entities.
Subject: 0001-Do-not-enable-expanding-entities-by-default.patch
From 05749ae525317d05bd9d4232c080e530854f1d88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Fri, 30 Sep 2016 14:31:26 +0200 Subject: [PATCH] Do not enable expanding entities by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Expanding external entity is insecure. <https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>. This patch makes expand_entities option disabled by default. CPAN RT#118032 Signed-off-by: Petr Písař <ppisar@redhat.com> --- LibXML.pm | 2 +- docs/libxml.dbk | 2 +- t/43options.t | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/LibXML.pm b/LibXML.pm index eb3cbd6..9ab4748 100644 --- a/LibXML.pm +++ b/LibXML.pm @@ -261,7 +261,7 @@ use constant { HTML_PARSE_NOERROR => (1<<5), # suppress error reports }; -$XML_LIBXML_PARSE_DEFAULTS = ( XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT ); +$XML_LIBXML_PARSE_DEFAULTS = ( XML_PARSE_NODICT | XML_PARSE_DTDLOAD ); # this hash is made global so that applications can add names for new # libxml2 parser flags as temporary workaround diff --git a/docs/libxml.dbk b/docs/libxml.dbk index 30f279b..2c6674b 100644 --- a/docs/libxml.dbk +++ b/docs/libxml.dbk @@ -1676,7 +1676,7 @@ local $XML::LibXML::setTagCompression = 1;</programlisting> <term>expand_entities</term> <listitem> <para>/parser, reader/</para> - <para>substitute entities; possible values are 0 and 1; default is 1</para> + <para>substitute entities; possible values are 0 and 1; default is 0</para> <para>Note that although this flag disables entity substitution, it does not prevent the parser from loading external entities; when substitution of an external entity is disabled, the diff --git a/t/43options.t b/t/43options.t index 826f0ad..53dd35e 100644 --- a/t/43options.t +++ b/t/43options.t @@ -50,7 +50,7 @@ no_network { my $p = XML::LibXML->new(); for my $opt (@all) { - my $ret = (($opt =~ /^(?:load_ext_dtd|expand_entities)$/) ? 1 : 0); + my $ret = (($opt =~ /^(?:load_ext_dtd)$/) ? 1 : 0); # TEST*$all ok( ($p->get_option($opt)||0) == $ret @@ -110,7 +110,7 @@ no_network ok( $p->get_option('recover') == 2, ' TODO : Add test name' ); # TEST - ok( $p->expand_entities() == 1, ' TODO : Add test name' ); + ok( $p->expand_entities() == 0, ' TODO : Add test name' ); # TEST ok( $p->load_ext_dtd() == 1, ' TODO : Add test name' ); $p->load_ext_dtd(0); -- 2.7.4
Download (untitled) / with headers
text/plain 896b
On Thu Sep 22 07:44:39 2016, ppisar wrote: Show quoted text
> $XML::LibXML::XML_LIBXML_PARSE_DEFAULTS is set to XML_PARSE_NODICT | > XML_PARSE_DTDLOAD | XML_PARSE_NOENT. That overrides libxml2 default > behavior that stopped processing external entities by default many > years ago > <https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f> > because it could leak data from a local file system or a local > network. > > This XML-LibXML issue was reported to Debian > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097> and to > Fedora <https://bugzilla.redhat.com/show_bug.cgi?id=1377996>. > > Would it be possible to change XML-LibXML default behavior in similar > way?
If the default behavior with external entities is being changed to prevent XXE attacks, please also change the default behavior to NOT load external DTDs. DTD loading by default is an SSRF attack.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.