[xml] Question about security implications around external entities

From: Mike Dalessio <mike dalessio gmail com>
To: xml <xml gnome org>
Subject: [xml] Question about security implications around external entities
Date: Mon, 1 Oct 2012 14:36:10 -0400

Hi,

I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've had questions on our mailing list around possible XXE attacks related to local files (see https://github.com/sparklemotion/nokogiri/issues/693 and related https://groups.google.com/group/nokogiri-talk/browse_thread/thread/47eaa6931bfa2301).

If I parse a document that references a local file, like this:

<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>

<root>

</root>

There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may be able to avoid replacing the entity by setting the NOENT option; however there is still a possible vulnerability here. I can avoid loading external entity files that are accessed over the network by setting the NONET parse option; there is no equivalent for local file access.

My question is this: what's the offical libxml2 policy on this? Should users of libxml2 who are parsing untrusted documents do their parsing in a `chroot` environment to limit file access? Is there some other workaround? Are the maintainers open to a parse option that will turn off local file access? Is there something obvious that I'm missing?

Thanks very much for your attention.

-mike

---

mike dalessio / @flavorjones

Follow-Ups:
- Re: [xml] Question about security implications around external entities
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]