Debian Bug report logs -
#838097
XML::LibXML expands external entities by default
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#838097; Package libxml-libxml-perl.
(Sat, 17 Sep 2016 10:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "P. Benie" <pjb1008@cam.ac.uk>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Sat, 17 Sep 2016 10:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxml-libxml-perl
Version: 2.0116+dfsg-1+deb8u1
When I do an enternal entity attack against a program using
XML::LibXML, it works! This was unexpected as the underying
library, libxml2, has had its defaults changed to disable
external entity loading by default (as least when not validating).
The cause is that XML::LibXML has its own idea of
what the defaults should be: XML_LIBXML_PARSE_DEFAULTS = (
XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT )
which causes it loads and expands the entities.
Example:
#!/usr/bin/perl -w
use XML::LibXML;
my $xml=<<END;
<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<node>
<e>&ent;</e>
</node>
END
print XML::LibXML->new()->parse_string($xml);
The issue is that XML-based application interfaces can be manipulated to
cause programs to leak information.
I suggest that the default XML::LibXML parser options should be changed to
match libxml2's defaults. This is where the libxml2 behaviour was changed:
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
Peter
Marked as found in versions libxml-libxml-perl/2.0116+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Sep 2016 17:54:06 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Sep 2016 18:15:10 GMT) (full text, mbox, link).
Removed tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 21 Sep 2016 14:12:04 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 21 Sep 2016 14:15:04 GMT) (full text, mbox, link).
Severity set to 'wishlist' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 21 Sep 2016 14:15:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#838097; Package libxml-libxml-perl.
(Wed, 21 Sep 2016 14:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Wed, 21 Sep 2016 14:30:08 GMT) (full text, mbox, link).
Message #20 received at 838097@bugs.debian.org (full text, mbox, reply):
Hi Bernie,
On Sat, Sep 17, 2016 at 11:55:08AM +0100, P. Benie wrote:
> Package: libxml-libxml-perl
> Version: 2.0116+dfsg-1+deb8u1
>
> When I do an enternal entity attack against a program using
> XML::LibXML, it works! This was unexpected as the underying
> library, libxml2, has had its defaults changed to disable
> external entity loading by default (as least when not validating).
>
> The cause is that XML::LibXML has its own idea of what the defaults should
> be: XML_LIBXML_PARSE_DEFAULTS = ( XML_PARSE_NODICT | XML_PARSE_DTDLOAD |
> XML_PARSE_NOENT )
> which causes it loads and expands the entities.
>
> Example:
>
> #!/usr/bin/perl -w
> use XML::LibXML;
>
> my $xml=<<END;
> <!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
> <node>
> <e>&ent;</e>
> </node>
> END
>
> print XML::LibXML->new()->parse_string($xml);
>
> The issue is that XML-based application interfaces can be manipulated to
> cause programs to leak information.
>
> I suggest that the default XML::LibXML parser options should be changed to
> match libxml2's defaults. This is where the libxml2 behaviour was changed:
> https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
If the default should be changed, it is best to have that change upstream.
Currently the expand_entities behaviour is documented as
XML::LibXML::Parser(3pm):
expand_entities
/parser, reader/
substitute entities; possible values are 0 and 1;
default is 1
Note that although this flag disables entity substitution, it
does not prevent the parser from loading external entities;
when substitution of an external entity is disabled, the
entity will be represented in the document tree by an
XML_ENTITY_REF_NODE node whose subtree will be the content
obtained by parsing the external resource; Although this
nesting is visible from the DOM it is transparent to XPath
data model, so it is possible to match nodes in an unexpanded
entity by the same XPath expression as if the entity were
expanded. See also ext_ent_handler.
Could you please bring the question upstream?
Thanks a lot in advance, and for your report!
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 4 12:25:59 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.