Opened 9 years ago
Closed 9 years ago
#944 closed defect (fixed)
check XXE libxml vulnerability
| Reported by: | Peter Baumann | Owned by: | Andrei Badoi |
|---|---|---|---|
| Priority: | critical | Milestone: | 9.2 |
| Component: | petascope | Version: | development |
| Keywords: | Cc: | Alex Dumitru, drusu | |
| Complexity: | Trivial |
Description
check the petascope XML parser against this exploit.
We need to make sure everytime an XML is parsed from an external source an XML parser with resolve_entities=False should be passed:
parser = etree.XMLParser(resolve_entities=False)
etree.fromstring(e, parser)
etree.parse(f, parser)
Change History (7)
comment:1 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 9 years ago
| Milestone: | 9.1 → 9.2 |
|---|
comment:3 by , 9 years ago
| Cc: | added |
|---|---|
| Owner: | changed from to |
follow-up: 5 comment:4 by , 9 years ago
comment:5 by , 9 years ago
Replying to dmisev:
can we get a status report?
We added the following into XMLUtil.java:
factory = SAXParserFactory.newInstance();
try{
factory.setFeature(FEATURE_XXE_FALSE, false);
}
catch(Exception e){
If feature does not exist ⇒ no XXE support anyway so nothing we need to do
};
I think this should work, but we have a problem while running the petascope project in netbeans. It doesnt want to deploy and i think this is because some properties from petascope were changed while creating the framework for testing ( another task ).
Once we fix the petascope I think it will work.
comment:6 by , 9 years ago
You don't need to deploy petascope in NetBeans, you can (and you should) just make install it and deploy in Tomcat.
comment:7 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
can we get a status report?