Hello,
Thanks for the reply. Your point about the appropriate security levels on your
server is true, and having a solid security model in place should prevent
loading local files. However, the fact is that the option still remains and
that other scenario's using entity expansion (the xml bomb) could compromise
the system.
Being able to disable DTD validation and processing would be the best solution
so it's great that it is being looking into. We don't use DTD as it is
superseded so hopefully it will be available soon.
Regards,
Marcel
Date: Thu, 15 Mar 2018 02:22:15 +0000
From: Trinh Lieu <trinh.l...@marklogic.com>
Subject: [MarkLogic Dev General] Potential System Entity Expansion
with MarkLogic
To: "General@developer.marklogic.com"
<General@developer.marklogic.com>
Message-ID: <33492976866b4c14b60a0872e67fd...@marklogic.com>
Content-Type: text/plain; charset="us-ascii"
Hello Developers,
Several developers have raised some concerns about potential system entity
expansion with MarkLogic. There are some things to keep in mind when thinking
about this.
Since MarkLogic is a database management system, it works with the operating
system to provide high levels of security. In this case, only files that have
appropriate file permissions can be loaded in this manner (for example:
<!ENTITY xxe SYSTEM "file:///c:/text.xml" >). Files have to be able to be
readable by daemon on Linux and the equivalent on Windows or this will generate
an exception. This capability is part of the xml specification and MarkLogic
tries to support standards wherever possible. Any APIs which are used to
manipulate entities (e.g., xdmp:document-insert) are all protected by
MarkLogic's granular user-role-permissions security model.
That said, we do want to respond to any customer and developer concerns, so we
are looking into a trace event which would allow developers to enable or
disable system entity expansion. This would enable developers to have exact
control over the behavior, as they should.
Have a great rest of your week.
Regards,
Trinh
Trinh N. Lieu
Senior Manager, Developer Community
MarkLogic Corporation
trinh.l...@marklogic.com<mailto:trinh.l...@marklogic.com>
Phone: 703.854.8561
www.marklogic.com<http://www.marklogic.com/>
[MLW18_EmailSignature-for PCs]<http://www.cvent.com/d/4tq5tr>
This e-mail and any accompanying attachments are confidential. The information
is intended solely for the use of the individual to whom it is addressed. Any
review, disclosure, copying, distribution, or use of this e-mail communication
by others is strictly prohibited. If you are not the intended recipient, please
notify us immediately by returning this message to the sender and delete all
copies. Thank you for your cooperation.
_______________________________________________
General mailing list
General@developer.marklogic.com
Manage your subscription at:
http://developer.marklogic.com/mailman/listinfo/general
