details: https://hg.nginx.org/njs/rev/700f267bd903 branches: changeset: 2061:700f267bd903 user: Dmitry Volyntsev <xei...@nginx.com> date: Wed Mar 01 21:38:09 2023 -0800 description: XML: removed XML_PARSE_DTDVALID during a document parsing.
When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external entities present inside an xml document. This can lead to all the classic XXE exploits, including SSRF and local file disclosure. The issue was introduced in 99b9f83e4d4d (0.7.10). Thanks to @BitK_. diffstat: external/njs_xml_module.c | 3 +-- test/xml/external_entity_ignored.t.js | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diffs (35 lines): diff -r 7197f860de2f -r 700f267bd903 external/njs_xml_module.c --- a/external/njs_xml_module.c Tue Feb 28 20:34:38 2023 -0800 +++ b/external/njs_xml_module.c Wed Mar 01 21:38:09 2023 -0800 @@ -432,8 +432,7 @@ njs_xml_ext_parse(njs_vm_t *vm, njs_valu } tree->doc = xmlCtxtReadMemory(tree->ctx, (char *) data.start, data.length, - NULL, NULL, XML_PARSE_DTDVALID - | XML_PARSE_NOWARNING + NULL, NULL, XML_PARSE_NOWARNING | XML_PARSE_NOERROR); if (njs_slow_path(tree->doc == NULL)) { njs_xml_error(vm, tree, "failed to parse XML"); diff -r 7197f860de2f -r 700f267bd903 test/xml/external_entity_ignored.t.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/xml/external_entity_ignored.t.js Wed Mar 01 21:38:09 2023 -0800 @@ -0,0 +1,18 @@ +/*--- +includes: [compatXml.js, compatNjs.js] +flags: [] +paths: [] +---*/ + +let data = `<?xml version="1.0"?> +<!DOCTYPE foo [ +<!ENTITY c PUBLIC "bar" "extern_entity.txt"> +]> +<root>&c;</root> +`; + +if (has_njs()) { + const xml = require('xml'); + let doc = xml.parse(data); + assert.sameValue(doc.$root.$text, ""); +} _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel