diff options
| author | 2015-01-23 14:56:59 +0100 | |
|---|---|---|
| committer | 2015-01-23 14:56:59 +0100 | |
| commit | c086cb139af7c82845f6d565e636073ff4b37440 (patch) | |
| tree | 3ef0f3c685237cd537e5407eee1b85139cd84359 /src/xplist.c | |
| parent | 82a6acc44759a4b0afb8110d682bc32edc1fd602 (diff) | |
| download | libplist-c086cb139af7c82845f6d565e636073ff4b37440.tar.gz libplist-c086cb139af7c82845f6d565e636073ff4b37440.tar.bz2 | |
xplist: Fix limited but possible XXE security vulnerability with XML plists
By using a specifically crafted XML file an attacker could use plistutil
to issue a GET request to an arbitrary URL or disclose a local file.
The crafted XML file would be using a custom DTD with an external entity
reference pointing to the file. Practical abuse is limited but let's still
fix it nevertheless. Related to CVE-2013-0339 for libxml2 and CWE-827.
Reported by Loïc Bénis from calypt.com. Thanks!
Diffstat (limited to 'src/xplist.c')
| -rw-r--r-- | src/xplist.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/xplist.c b/src/xplist.c index 4c106aa..2e86ee5 100644 --- a/src/xplist.c +++ b/src/xplist.c | |||
| @@ -29,6 +29,7 @@ | |||
| 29 | #include <inttypes.h> | 29 | #include <inttypes.h> |
| 30 | #include <locale.h> | 30 | #include <locale.h> |
| 31 | 31 | ||
| 32 | #include <libxml/xmlIO.h> | ||
| 32 | #include <libxml/parser.h> | 33 | #include <libxml/parser.h> |
| 33 | #include <libxml/tree.h> | 34 | #include <libxml/tree.h> |
| 34 | 35 | ||
| @@ -555,11 +556,22 @@ PLIST_API void plist_to_xml(plist_t plist, char **plist_xml, uint32_t * length) | |||
| 555 | } | 556 | } |
| 556 | } | 557 | } |
| 557 | 558 | ||
| 559 | static xmlParserInputPtr plist_xml_external_entity_loader(const char *URL, const char *ID, xmlParserCtxtPtr ctxt) | ||
| 560 | { | ||
| 561 | return NULL; | ||
| 562 | } | ||
| 563 | |||
| 558 | PLIST_API void plist_from_xml(const char *plist_xml, uint32_t length, plist_t * plist) | 564 | PLIST_API void plist_from_xml(const char *plist_xml, uint32_t length, plist_t * plist) |
| 559 | { | 565 | { |
| 560 | xmlDocPtr plist_doc = xmlParseMemory(plist_xml, length); | 566 | /* CVE-2013-0339: disable external entity loading to prevent XXE vulnerability */ |
| 561 | xmlNodePtr root_node = xmlDocGetRootElement(plist_doc); | 567 | xmlSetExternalEntityLoader(plist_xml_external_entity_loader); |
| 562 | 568 | ||
| 563 | xml_to_node(root_node, plist); | 569 | /* read XML from memory and disable network access for security reasons */ |
| 564 | xmlFreeDoc(plist_doc); | 570 | xmlDocPtr plist_doc = xmlReadMemory(plist_xml, length, "plist_from_xml:memory", NULL, XML_PARSE_NONET); |
| 571 | if (plist_doc) { | ||
| 572 | xmlNodePtr root_node = xmlDocGetRootElement(plist_doc); | ||
| 573 | |||
| 574 | xml_to_node(root_node, plist); | ||
| 575 | xmlFreeDoc(plist_doc); | ||
| 576 | } | ||
| 565 | } | 577 | } |
