Hi Nico,
I’ve pasted my reply from May 3 below, in case it was missed. From my
perspective, that should address the issue - please let me know if you
see it differently.
Best regards,
Gunther
> Gesendet: Samstag, 3. Mai 2025 um 01:19
> Von: "Gunther Rademacher" <g...@gmx.net>
> An: nver...@rakensi.com, basex-talk@mailman.uni-konstanz.de
>
> Betreff: Re: [basex-talk] Security problem in 11.9?
>
> Hi Nico,
>
> what you describe is the expected behaviour. Please be aware of the
> recent changes of fn:doc (and also fn:parse-xml) that were made in
> 11.9.
>
> These functions now support options to control the access of
> external entities, in particular
>
> - allow-external-entities: whether external entities are
> permitted (true) or rejected (false), default true
> - dtd: whether external entities are processed (true) or
> ignored (false), default true.
>
> In fact option dtd is not completely new, but previously its value
> was taken from the context option DTD, which defaults to false. So
> with 11.8, you could produce the same directory listing, that you
> experienced with 11.9, by running this on the document that you
> provided:
>
> basex -ODTD=yes "doc('doc.xml')"
>
> Now the options can be supplied per function call, they are
> independent of the context options, and the defaults are different.
> To restore the result that you were used to with 11.9, you need to
> run:
>
> basex "doc('doc.xml', { 'dtd': false() })"
>
> You can now also run this in order to reject any external entity
> references:
>
> basex "doc('doc.xml', { 'allow-external-entities': false() })"
>
> The changes were made to implement the XQuery 4.0 specification
> of these functions:
>
>
> https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-doc
>
> https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-parse-xml
>
> This is also described here:
>
> https://docs.basex.org/12/Standard_Functions#fn:doc
> https://docs.basex.org/12/Standard_Functions#fn:parse-xml
>
> Best regards,
> Gunther
> Gesendet: Donnerstag, 3. Juli 2025 um 13:39
> Von: nver...@rakensi.com
> An: basex-talk@mailman.uni-konstanz.de
> Betreff: [basex-talk] Re: Security problem in 11.9?
>
> The issue in my message from 2 May still exists in BaseX 12.
>
> The issue had to do with the following document:
>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///" >
> ]>
> <foo>&xxe;</foo>
>
> This returns a document with a listing of the root of my file system. >From
> there, I can enter sub-directories and extract files.
> This is a well-known external entity injection
> [https://portswigger.net/web-security/xxe#exploiting-xxe-to-retrieve-files].
> This is present in both the standard and the internal parser.
> Currently, I can prevent this by running BaseX as a user with few
> permissions, but it would be better to be able to prevent this kind of entity
> expansion.
>
> For my application, I need to process files sent by external users. And
> before that, I need to pass the security checks that my client performs.
>
> Is this considered by other BaseX users to be a vulnerability? Why was it not
> present in BaseX 11.8? How (if at all) can it be solved?
>
