Subject: | XXE in SVG files |
Date: | Tue, 27 Sep 2016 14:10:39 +0930 |
To: | bug-Image-Info [...] rt.cpan.org |
From: | Doran Moppert <dmoppert [...] redhat.com> |
See also (Bug #118032)
<https://rt.cpan.org/Public/Bug/Display.html?id=118032>.
Image::Info::SVG makes no attempt to disable the expansion of XML
external entities. If used on untrusted SVG files, an attacker could
cause an arbitrary local file to disclosed or cause denial of service
by including reference to an HTTP resource.
The fix is to pass `expand_entities => 0` to the LibXML constructor.
This should probably be the default behaviour, with an explicit option
to Image::Info required to turn it back on. Most users will not expect
that image_info($somefile) can cause arbitrary open() and connect()
calls.
This could be considered a breaking change, but the current behaviour is
not explicitly documented (and offers no override) so it could make
sense for only a minor version bump, which would get more 3rd party code
protected sooner.
--
Doran Moppert
Red Hat Product Security
Message body not shown because it is not plain text.