[Libosinfo] [PATCH osinfo-db-tools] Don't expand entities when parsing XML

Fabiano Fidêncio fabiano at fidencio.org
Sat Oct 28 09:15:13 UTC 2017


On Thu, Oct 26, 2017 at 2:18 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> The XML_PARSE_NOENT flag to libxml will cause it to expand all entities in the
> input XML document when parsing. Doing this is bad practice if the XML input
> file comes from an untrusted source, because it can cause the XML parser to load
> arbitrary files that are readable by the user running XML parsing. This is does
> not have an security consequences given the scenario in which osinfo-db-validate
> is run since the intended usage is to validate files that are written by the
> local user, or by the upstream libosinfo maintainers.
>
> In the future though, libosinfo might be able to dynamically download data from
> the website to refresh its local database, so it is wise to avoid entity
> expansion as a hardening step.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  tools/osinfo-db-validate.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/osinfo-db-validate.c b/tools/osinfo-db-validate.c
> index d8c3af9..530b8a1 100644
> --- a/tools/osinfo-db-validate.c
> +++ b/tools/osinfo-db-validate.c
> @@ -64,7 +64,7 @@ static xmlDocPtr parse_file(GFile *file, GError **error)
>      }
>
>      if (!(doc = xmlCtxtReadDoc(pctxt, (const xmlChar*)data, uri, NULL,
> -                               XML_PARSE_NOENT | XML_PARSE_NONET |
> +                               XML_PARSE_NONET |
>                                 XML_PARSE_NOWARNING))) {
>          g_set_error(error, OSINFO_DB_ERROR, 0,
>                      _("Unable to parse XML document '%s'"),
> --
> 2.13.6
>
> _______________________________________________
> Libosinfo mailing list
> Libosinfo at redhat.com
> https://www.redhat.com/mailman/listinfo/libosinfo

ACK!

-- 
Fabiano Fidêncio




More information about the Libosinfo mailing list