Skip Menu |

This queue is for tickets about the XML-Twig CPAN distribution.

Report information
The Basics
Id: 118097
Status: open
Priority: 0/
Queue: XML-Twig
People
Owner: Nobody in particular
Requestors: dmoppert [...] redhat.com
Cc: CARNIL [...] cpan.org
KENTNL [...] cpan.org
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Sep 26 23:05:27 2016 dmoppert [...] redhat.com - Ticket created
Subject: expand_external_ents fails to work as documented
Date: Tue, 27 Sep 2016 12:35:13 +0930
To: bug-XML-Twig [...] rt.cpan.org
From: Doran Moppert <dmoppert [...] redhat.com>
From the manual: Show quoted text
> expand_external_ents > > When this option is used external entities (that are defined) are > expanded when the document is output using "print" functions such as > print , sprint , flush and xml_string . Note that in the twig the > entity will be stored as an element with a tag '#ENT', the entity will > not be expanded there, so you might want to process the entities > before outputting it.
The default is indeed 0 (verified by inspecting $twig->global_state), but it seems that external entities are expanded in *all* cases. I'm not sure how much XML::Parser is responsible (see end of transcript), but the manual there isn't clearly telling me how XXE can be turned off. Same results with XML::Twig 3.26 through 3.49. Is there a good way to de-fang this behaviour that I have failed to identify? ~~~ $ cat test.pl use XML::Twig; my $twig = XML::Twig->new( expand_external_ents => $ARGV[0] ); $twig->parsefile( "test.xml"); $twig->print; $ cat test.xml <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe PUBLIC "bar" "boom.txt"> ]> <root>&xxe;</root> $ echo Boom > boom.txt $ perl test.pl 1 | grep Boom <root>Boom $ perl test.pl 0 | grep Boom <root>Boom $ perl test.pl -1 | grep Boom <root>Boom $ chmod 0 boom.txt $ perl test.pl 1 cannot load SYSTEM entity 'xxe' from 'boom.txt': cannot open 'boom.txt': Permission denied at /usr/lib64/perl5/vendor_perl/XML/Parser/Expat.pm line 474. at /usr/lib64/perl5/vendor_perl/XML/Parser.pm line 187. eval {...} called at /usr/lib64/perl5/vendor_perl/XML/Parser.pm line 186 XML::Parser::parse(XML::Twig=HASH(0xaab468), "*XML::Parser::FILE") called at /usr/share/perl5/XML/Twig.pm line 767 eval {...} called at /usr/share/perl5/XML/Twig.pm line 767 XML::Twig::parse(XML::Twig=HASH(0xaab468), "*XML::Parser::FILE") called at /usr/lib64/perl5/vendor_perl/XML/Parser.pm line 233 eval {...} called at /usr/lib64/perl5/vendor_perl/XML/Parser.pm line 232 XML::Parser::parsefile(XML::Twig=HASH(0xaab468), "test.xml") called at /usr/share/perl5/XML/Twig.pm line 781 eval {...} called at /usr/share/perl5/XML/Twig.pm line 781 XML::Twig::parsefile(XML::Twig=HASH(0xaab468), "test.xml") called at test.pl line 4 at test.pl line 4. at test.pl line 4. $ perl test.pl 0 cannot expand &xxe; - cannot load 'boom.txt' at /usr/lib64/perl5/vendor_perl/XML/Parser/Expat.pm line 474. at test.pl line 4. at test.pl line 4. $ perl test.pl -1 <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe PUBLIC "bar" "boom.txt"> ]> <root><!-- cannot expand &xxe; - cannot load 'boom.txt' --></root> ~~~ -- Doran Moppert Red Hat Product Security
Download (untitled)
application/pgp-signature 836b

Message body not shown because it is not plain text.

  Wed Nov 02 01:41:48 2016 CARNIL [...] cpan.org - Cc CARNIL added
  Thu Nov 03 01:26:14 2016 KENTNL [...] cpan.org - Cc KENTNL added
  Fri Nov 04 06:10:18 2016 ppisar [...] redhat.com - Correspondence added
From: ppisar [...] redhat.com
CVE-2016-9180 identifier was assigned to this vulnerability <http://seclists.org/oss-sec/2016/q4/329>.
  Fri Nov 04 06:10:18 2016 The RT System itself - Status changed from 'new' to 'open'
  Tue Dec 13 04:52:10 2016 hertzog [...] debian.org - Correspondence added
CC: xmltwig [...] gmail.com
Subject: [rt.cpan.org #118097] no_xxe in released module but not in git?
Date: Tue, 13 Dec 2016 10:51:53 +0100
To: bug-XML-Twig [...] rt.cpan.org
From: Raphael Hertzog <hertzog [...] debian.org>
Hello Michel, https://metacpan.org/changes/release/MIROD/XML-Twig-3.52 shows that version 3.50 added the missing no_xxe flag but for some reason the git repository is not up-to-date: https://github.com/mirod/xmltwig/commits/master only contains commit up to June 21. Can you update the git repository so that we can see the commit that added this new feature? Idealy if you can push git tags too, that would be nice. And while this new feature is certainly welcome, what's your stance on the behaviour of expand_external_ents which apparently does not work as advertised? Do you expect to fix that at some point? FWIW I have reproduced the results of Doran with version 3.50 of XML::Twig. Thank you. -- Raphaël Hertzog ◈ Writer/Consultant ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/