On 11.04.2014 15:46, Ivan Vučica wrote: > Just pinging in case our NSXMLDocument implementation is vulnerable to XML > XXE. > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > libxml2 after 2.9 has this disabled by default. > > On iOS (and presumably OS X) one is safe only by specifying > NSXMLNodeLoadExternalEntitiesNever. > > I can't check right now, but if GNUstep does behave the same way as OS > X/iOS, anyone writing network services and using GNUstep's NSXMLDocument > may want to check that they are safe.
I added the new 10.7 constants to the NSXMLNodeOptions.h file and NSXMLDocument is now using the option XML_PARSE_NONET as default. This may break existing code and wont prevent the vulnerabilities listed in the link you provided, but is the best possible with my version of libxml2. Further patches are welcome. For me the more important code to look at would be GSXML.m, which also uses libxml2 and gets used a lot more than NSXMLDocument. Fred _______________________________________________ Discuss-gnustep mailing list [email protected] https://lists.gnu.org/mailman/listinfo/discuss-gnustep
