Package: libxml-libxml-perl
Version: 2.0116+dfsg-1+deb8u1

When I do an enternal entity attack against a program using
XML::LibXML, it works! This was unexpected as the underying
library, libxml2, has had its defaults changed to disable
external entity loading by default (as least when not validating).

The cause is that XML::LibXML has its own idea of what the defaults should be: XML_LIBXML_PARSE_DEFAULTS = ( XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT )
which causes it loads and expands the entities.

Example:

#!/usr/bin/perl -w
use XML::LibXML;

my $xml=<<END;
<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<node>
    <e>&ent;</e>
</node>
END

print XML::LibXML->new()->parse_string($xml);

The issue is that XML-based application interfaces can be manipulated to cause programs to leak information.

I suggest that the default XML::LibXML parser options should be changed to match libxml2's defaults. This is where the libxml2 behaviour was changed:
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

Peter

Reply via email to