When I do an enternal entity attack against a program using
XML::LibXML, it works! This was unexpected as the underying
library, libxml2, has had its defaults changed to disable
external entity loading by default (as least when not validating).
The cause is that XML::LibXML has its own idea of
what the defaults should be: XML_LIBXML_PARSE_DEFAULTS = (
XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT )
which causes it loads and expands the entities.
<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
The issue is that XML-based application interfaces can be manipulated to
cause programs to leak information.
I suggest that the default XML::LibXML parser options should be changed to
match libxml2's defaults. This is where the libxml2 behaviour was changed: