Hi,
I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've
had questions on our mailing list around possible XXE attacks related to
local files (see https://github.com/sparklemotion/nokogiri/issues/693 and
related
https://groups.google.com/group/nokogiri-talk/browse_thread/thread/47eaa6931bfa2301
).
If I parse a document that references a local file, like this:
<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<root>
<e>&ent;</e>
</root>
There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may
be able to avoid replacing the entity by setting the NOENT option; however
there is still a possible vulnerability here. I can avoid loading external
entity files that are accessed over the network by setting the NONET parse
option; there is no equivalent for local file access.
My question is this: what's the offical libxml2 policy on this? Should
users of libxml2 who are parsing untrusted documents do their parsing in a
`chroot` environment to limit file access? Is there some other workaround?
Are the maintainers open to a parse option that will turn off local file
access? Is there something obvious that I'm missing?
Thanks very much for your attention.
-mike
---
mike dalessio / @flavorjones
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
https://mail.gnome.org/mailman/listinfo/xml
