Opened 10 years ago

Closed 9 years ago

#944 closed defect (fixed)

check XXE libxml vulnerability

Reported by: Peter Baumann Owned by: Andrei Badoi
Priority: critical Milestone: 9.2
Component: petascope Version: development
Keywords: Cc: Alex Dumitru, drusu
Complexity: Trivial

Description

check the petascope XML parser against this exploit.
We need to make sure everytime an XML is parsed from an external source an XML parser with resolve_entities=False should be passed:

parser = etree.XMLParser(resolve_entities=False)

etree.fromstring(e, parser)
etree.parse(f, parser)

Change History (7)

comment:1 by Peter Baumann, 9 years ago

Owner: changed from Vlad Merticariu to Vlad Zamfir
Status: newassigned

comment:2 by Dimitar Misev, 9 years ago

Milestone: 9.19.2

comment:3 by Alex Dumitru, 9 years ago

Cc: drusu added
Owner: changed from Vlad Zamfir to Andrei Badoi

comment:4 by Dimitar Misev, 9 years ago

can we get a status report?

in reply to:  4 comment:5 by drusu, 9 years ago

Replying to dmisev:

can we get a status report?

We added the following into XMLUtil.java:
factory = SAXParserFactory.newInstance();

try{

factory.setFeature(FEATURE_XXE_FALSE, false);

}
catch(Exception e){

If feature does not exist ⇒ no XXE support anyway so nothing we need to do

};

I think this should work, but we have a problem while running the petascope project in netbeans. It doesnt want to deploy and i think this is because some properties from petascope were changed while creating the framework for testing ( another task ).
Once we fix the petascope I think it will work.

comment:6 by Dimitar Misev, 9 years ago

You don't need to deploy petascope in NetBeans, you can (and you should) just make install it and deploy in Tomcat.

comment:7 by Peter Baumann, 9 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.