lxml should not do external entity expansion (XXE) by default
Bug #1742885 reported by
Lie Ryan
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
Fix Released
|
Wishlist
|
scoder |
Bug Description
libxml2 defaults to disabling external entity expansion (XXE) since version 2.9.0 (https:/
lxml should either follow the installed libxml2 version's default behavior or to explicitly disable processing external entities.
Test case is attached.
--
Python : sys.version_
lxml.etree : (4, 1, 1, 0)
libxml used : (2, 9, 7)
libxml compiled : (2, 9, 7)
libxslt used : (1, 1, 32)
libxslt compiled : (1, 1, 32)
information type: | Private Security → Public |
Changed in lxml: | |
milestone: | none → 5.0 |
Changed in lxml: | |
assignee: | nobody → scoder (scoder) |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This is actually documented: lxml.de/ FAQ.html# how-do- i-use-lxml- safely- as-a-web- service- endpoint
http://
And the defusedxml package has additional information about security in lxml (and other XML packages): /bitbucket. org/tiran/ defusedxml
https:/
I agree that it's something that's worth changing, even though it's a backwards incompatible change.
Pull request welcome. See the "_local_resolver()" function in "parser.pxi". A reasonable logic might be to disallow access to local files by default if the input file itself is not known to be local, but add an XMLParser option to override it. Not sure about the HTMLParser, but that probably suffers from the same issue.