Re: XML XXE

discuss-gnustep

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XML XXE

From:	Fred Kiefer
Subject:	Re: XML XXE
Date:	Fri, 11 Apr 2014 23:48:51 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

On 11.04.2014 15:46, Ivan Vučica wrote:
> Just pinging in case our NSXMLDocument implementation is vulnerable to XML
> XXE.
> 
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
> 
> libxml2 after 2.9 has this disabled by default.
> 
> On iOS (and presumably OS X) one is safe only by specifying
> NSXMLNodeLoadExternalEntitiesNever.
> 
> I can't check right now, but if GNUstep does behave the same way as OS
> X/iOS, anyone writing network services and using GNUstep's NSXMLDocument
> may want to check that they are safe.

I added the new 10.7 constants to the NSXMLNodeOptions.h file and
NSXMLDocument is now using the option XML_PARSE_NONET as default. This
may break existing code and wont prevent the vulnerabilities listed in
the link you provided, but is the best possible with my version of
libxml2. Further patches are welcome.

For me the more important code to look at would be GSXML.m, which also
uses libxml2 and gets used a lot more than NSXMLDocument.

Fred

[Prev in Thread]

Current Thread

[Next in Thread]

XML XXE, Ivan Vučica, 2014/04/11
- Re: XML XXE, Fred Kiefer <=

Prev by Date: Re: Chromium embedded, a shortcut for webkit?
Next by Date: Re: IA: regular-gnustep.iso LiveCD (stable builds available)
Previous by thread: XML XXE
Next by thread: NSHost name
Index(es):
- Date
- Thread