Thanks, Gunther, for the response. @Nico: In invite you to join the ongoing discussion on sane/safe defaults for the fn:doc and fn:parse-xml functions in the qtspecs repository [1]. User feedback is always appreciated.
Best, Christian [1] https://github.com/qt4cg/qtspecs/issues/2034 ________________________________ Von: Gunther Rademacher via BaseX-Talk <[email protected]> Gesendet: Donnerstag, Juli 3, 2025 7:28:14 PM An: [email protected] <[email protected]>; [email protected] <[email protected]> Betreff: [basex-talk] Re: Security problem in 11.9? Hi Nico, I’ve pasted my reply from May 3 below, in case it was missed. From my perspective, that should address the issue - please let me know if you see it differently. Best regards, Gunther > Gesendet: Samstag, 3. Mai 2025 um 01:19 > Von: "Gunther Rademacher" <[email protected]> > An: [email protected], [email protected] > > Betreff: Re: [basex-talk] Security problem in 11.9? > > Hi Nico, > > what you describe is the expected behaviour. Please be aware of the > recent changes of fn:doc (and also fn:parse-xml) that were made in > 11.9. > > These functions now support options to control the access of > external entities, in particular > > - allow-external-entities: whether external entities are > permitted (true) or rejected (false), default true > - dtd: whether external entities are processed (true) or > ignored (false), default true. > > In fact option dtd is not completely new, but previously its value > was taken from the context option DTD, which defaults to false. So > with 11.8, you could produce the same directory listing, that you > experienced with 11.9, by running this on the document that you > provided: > > basex -ODTD=yes "doc('doc.xml')" > > Now the options can be supplied per function call, they are > independent of the context options, and the defaults are different. > To restore the result that you were used to with 11.9, you need to > run: > > basex "doc('doc.xml', { 'dtd': false() })" > > You can now also run this in order to reject any external entity > references: > > basex "doc('doc.xml', { 'allow-external-entities': false() })" > > The changes were made to implement the XQuery 4.0 specification > of these functions: > > > https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-doc > > https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-parse-xml > > This is also described here: > > https://docs.basex.org/12/Standard_Functions#fn:doc > https://docs.basex.org/12/Standard_Functions#fn:parse-xml > > Best regards, > Gunther
