Re: [xml] Question about security implications around external entities

On Mon, Oct 01, 2012 at 02:36:10PM -0400, Mike Dalessio wrote:

  Hi Mike,

 sory for the delay,

I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've
had questions on our mailing list around possible XXE attacks related to
local files (see and

If I parse a document that references a local file, like this:

    <!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>

There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may
be able to avoid replacing the entity by setting the NOENT option; however
there is still a possible vulnerability here. I can avoid loading external
entity files that are accessed over the network by setting the NONET parse
option; there is no equivalent for local file access.

  Actually which version of libxml2 did you tried ? Latest version 2.9.0
includes the following patch:

 So unless you explicitely ask for entities replacement, which is not
libxml2 default, libxml2 should not even try to open that file !

My question is this: what's the offical libxml2 policy on this? Should
users of libxml2 who are parsing untrusted documents do their parsing in a
`chroot` environment to limit file access? Is there some other workaround?
Are the maintainers open to a parse option that will turn off local file
access? Is there something obvious that I'm missing?

  1/ yes it was a bug
  2/ it should be fixed, default processing of XML files should never
     access external entities. The 2 cases where it would is if
     DTD loading/entites replacement is asked for, or if XInclude
     processing is activated.

 hope this clarifies the situation, please check with 2.9.0 and report


Daniel Veillard      | Open Source and Standards, Red Hat
veillard redhat com  | libxml Gnome XML XSLT toolkit | virtualization library

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]