Bug#838097: XML::LibXML expands external entities by default
P. Benie
pjb1008 at cam.ac.uk
Sat Sep 17 10:55:08 UTC 2016
Package: libxml-libxml-perl
Version: 2.0116+dfsg-1+deb8u1
When I do an enternal entity attack against a program using
XML::LibXML, it works! This was unexpected as the underying
library, libxml2, has had its defaults changed to disable
external entity loading by default (as least when not validating).
The cause is that XML::LibXML has its own idea of
what the defaults should be: XML_LIBXML_PARSE_DEFAULTS = (
XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT )
which causes it loads and expands the entities.
Example:
#!/usr/bin/perl -w
use XML::LibXML;
my $xml=<<END;
<!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<node>
<e>&ent;</e>
</node>
END
print XML::LibXML->new()->parse_string($xml);
The issue is that XML-based application interfaces can be manipulated to
cause programs to leak information.
I suggest that the default XML::LibXML parser options should be changed to
match libxml2's defaults. This is where the libxml2 behaviour was changed:
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
Peter
More information about the pkg-perl-maintainers
mailing list