Re: [xml] Question about security implications around external entities

From: Daniel Veillard <veillard redhat com>
To: Mike Dalessio <mike dalessio gmail com>
Cc: xml <xml gnome org>
Subject: Re: [xml] Question about security implications around external entities
Date: Tue, 30 Oct 2012 10:13:49 +0800

On Mon, Oct 01, 2012 at 02:36:10PM -0400, Mike Dalessio wrote:

Hi,


  Hi Mike,

 sory for the delay,

I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've
had questions on our mailing list around possible XXE attacks related to
local files (see https://github.com/sparklemotion/nokogiri/issues/693 and
related
https://groups.google.com/group/nokogiri-talk/browse_thread/thread/47eaa6931bfa2301
).

If I parse a document that references a local file, like this:

    <!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
  <root>
    <e>&ent;</e>
  </root>

There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may
be able to avoid replacing the entity by setting the NOENT option; however
there is still a possible vulnerability here. I can avoid loading external
entity files that are accessed over the network by setting the NONET parse
option; there is no equivalent for local file access.


  Actually which version of libxml2 did you tried ? Latest version 2.9.0
includes the following patch:
 http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

 So unless you explicitely ask for entities replacement, which is not
libxml2 default, libxml2 should not even try to open that file !

My question is this: what's the offical libxml2 policy on this? Should
users of libxml2 who are parsing untrusted documents do their parsing in a
`chroot` environment to limit file access? Is there some other workaround?
Are the maintainers open to a parse option that will turn off local file
access? Is there something obvious that I'm missing?


  1/ yes it was a bug
  2/ it should be fixed, default processing of XML files should never
     access external entities. The 2 cases where it would is if
     DTD loading/entites replacement is asked for, or if XInclude
     processing is activated.

 hope this clarifies the situation, please check with 2.9.0 and report
 :-)

Daniel

-- 
Daniel Veillard      | Open Source and Standards, Red Hat
veillard redhat com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/

References:
- [xml] Question about security implications around external entities
  - From: Mike Dalessio

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]