XML External Entity (XXE), potential security risk

Question

XML External Entity (XXE), potential security risk

danielweck opened this issue 8 years ago · 1 comments

Thanks @bluefirepatrick for the heads-up!

    <!DOCTYPE root [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
  <root>
    <e>&ent;</e>
  </root>

(ouch!)

short story:
XML_PARSE_NOENT should be removed from the libxml parser options (see below). Note that the name can be misleading, as it in fact means that entities should be expanded so that no entity nodes should be created inside the parsed document (entity replacement / substitution).

long story:

Here is Readium's libxml parser config:
https://github.com/readium/readium-sdk/blob/develop/ePub3/ePub/archive_xml.cpp#L28

const int ArchiveXmlReader::DEFAULT_OPTIONS = XML_PARSE_RECOVER | XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NONET;

As you can see, we don't use XML_PARSE_DTDLOAD, but we do have XML_PARSE_NOENT.
We do set XML_PARSE_NONET but the potential security risk applies to local files too.

By the way, these binary mask options are passed to:
https://github.com/readium/readium-sdk/blob/develop/ePub3/xml/utilities/io.cpp#L74

std::shared_ptr<Document> InputBuffer::xmlReadDocument(const char * url, const char * encoding, int options)
{
    _encodingCheck = encoding;
    xmlDocPtr raw = xmlReadIO(_buf->readcallback, _buf->closecallback, _buf->context, url, encoding, options);
    return Wrapped<Document>(raw);
}
std::shared_ptr<Document> InputBuffer::htmlReadDocument(const char *url, const char *encoding, int options)
{
    _encodingCheck = encoding;
    return Wrapped<Document>(htmlReadIO(_buf->readcallback, _buf->closecallback, _buf->context, url, encoding, options));
}

Also note xmlSubstituteEntitiesDefault(0); and xmlLoadExtDtdDefaultValue = 0; in __resetLibXMLOverrides:
https://github.com/readium/readium-sdk/blob/develop/ePub3/xml/utilities/base.cpp#L76

General references:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet
https://git.gnome.org//browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
https://mail.gnome.org/archives/xml/2012-October/msg00045.html
w3c/epubcheck@66e88e4
Craig Arendt (Stratum Security)
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7889
CVE-2016-7889 + CVE-2016-7666 + CVE-2016-9487
https://support.apple.com/en-us/HT207432
https://helpx.adobe.com/security/products/Digital-Editions/apsb16-45.html
https://www.kb.cert.org/vuls/id/779243

Answer 1 · 2016-12-15T18:48:33.000Z

Fixed: ae7c0b8