Re: [xml] Question about security implications around external entities
- From: Daniel Veillard <veillard redhat com>
- To: Mike Dalessio <mike dalessio gmail com>
- Cc: xml <xml gnome org>
- Subject: Re: [xml] Question about security implications around external entities
- Date: Tue, 30 Oct 2012 10:13:49 +0800
On Mon, Oct 01, 2012 at 02:36:10PM -0400, Mike Dalessio wrote:
sory for the delay,
I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've
had questions on our mailing list around possible XXE attacks related to
local files (see https://github.com/sparklemotion/nokogiri/issues/693 and
If I parse a document that references a local file, like this:
<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may
be able to avoid replacing the entity by setting the NOENT option; however
there is still a possible vulnerability here. I can avoid loading external
entity files that are accessed over the network by setting the NONET parse
option; there is no equivalent for local file access.
Actually which version of libxml2 did you tried ? Latest version 2.9.0
includes the following patch:
So unless you explicitely ask for entities replacement, which is not
libxml2 default, libxml2 should not even try to open that file !
My question is this: what's the offical libxml2 policy on this? Should
users of libxml2 who are parsing untrusted documents do their parsing in a
`chroot` environment to limit file access? Is there some other workaround?
Are the maintainers open to a parse option that will turn off local file
access? Is there something obvious that I'm missing?
1/ yes it was a bug
2/ it should be fixed, default processing of XML files should never
access external entities. The 2 cases where it would is if
DTD loading/entites replacement is asked for, or if XInclude
processing is activated.
hope this clarifies the situation, please check with 2.9.0 and report
Daniel Veillard | Open Source and Standards, Red Hat
veillard redhat com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
] [Thread Prev