On Mon, Oct 01, 2012 at 02:36:10PM -0400, Mike Dalessio wrote: > Hi, Hi Mike,
sory for the delay, > I'm a maintainer of Nokogiri, which is a libxml2 binding for Ruby. We've > had questions on our mailing list around possible XXE attacks related to > local files (see https://github.com/sparklemotion/nokogiri/issues/693 and > related > https://groups.google.com/group/nokogiri-talk/browse_thread/thread/47eaa6931bfa2301 > ). > > If I parse a document that references a local file, like this: > > <!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]> > <root> > <e>&ent;</e> > </root> > > There is no obvious way to avoid having libxml2 open `/etc/passwd`. You may > be able to avoid replacing the entity by setting the NOENT option; however > there is still a possible vulnerability here. I can avoid loading external > entity files that are accessed over the network by setting the NONET parse > option; there is no equivalent for local file access. Actually which version of libxml2 did you tried ? Latest version 2.9.0 includes the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f So unless you explicitely ask for entities replacement, which is not libxml2 default, libxml2 should not even try to open that file ! > My question is this: what's the offical libxml2 policy on this? Should > users of libxml2 who are parsing untrusted documents do their parsing in a > `chroot` environment to limit file access? Is there some other workaround? > Are the maintainers open to a parse option that will turn off local file > access? Is there something obvious that I'm missing? 1/ yes it was a bug 2/ it should be fixed, default processing of XML files should never access external entities. The 2 cases where it would is if DTD loading/entites replacement is asked for, or if XInclude processing is activated. hope this clarifies the situation, please check with 2.9.0 and report :-) Daniel -- Daniel Veillard | Open Source and Standards, Red Hat [email protected] | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ _______________________________________________ xml mailing list, project page http://xmlsoft.org/ [email protected] https://mail.gnome.org/mailman/listinfo/xml
