Hi, I am the maintainer of the Perl module MARC::File::XML, which is used by various applications to manipulate a metadata format used by libraries, and would like to request the allocation of a CVE identifier for an XXE vulnerability that is fixed in version 1.0.2 of the module. I have evidence that the vulnerability can be used in at least one F/LOSS integrated library system, Koha, to perform an application-level privilege escalation, and another one, Evergreen, is likely vulnerable to disclosure of the contents of arbitrary files on the server. I am a committer to both of those projects. Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/ marc-xml/t/external-entities.t Diff +++ b/marc-xml/t/external-entities.t @@ -0,0 +1,58 @@ +use strict; +use warnings; + +use MARC::Record; +use MARC::File::XML; +use File::Temp; +use Test::More tests => 2; + +# we'll allow internal parsed entities +my $xml_ent = q(<?xml version="1.0" standalone="no" ?> +<!DOCTYPE subfield [ + <!ENTITY avram "Henriette Avram"> +]> +<record> + <datafield tag="245" ind1="0" ind2="0"> + <subfield code="a">The original MARC format /</subfield> + <subfield code="c">&avram;</subfield> + </datafield> +</record>); + +my $marc_ent = MARC::Record->new_from_xml($xml_ent); +is($marc_ent->subfield('245', 'c'), 'Henriette Avram', 'can expand normal entity'); + +# external entities, however, will not be allowed unless a client +# passes an XML::LibXML::Parser via ->set_parser() that doesn't +# disable fetching external entities. +my $xml_ext_ent = q(<?xml version="1.0" standalone="no" ?> +<!DOCTYPE subfield [ + <!ENTITY questionable SYSTEM "file://XXX"> +]> +<record> + <datafield tag="245" ind1="0" ind2="0"> + <subfield code="a">I was run on &questionable; /</subfield> + </datafield> +</record>); + +# the following is meant to provide a platform-independent +# external file that could be successfully retrieved if the +# parser were allowed fetch external entities; hopefully this +# will catch any changes to XML::LibXML or libxml2 that somehow +# cause ext_ent_handler to be ignored. +my $tmp = File::Temp->new(); +print $tmp 'boo!'; +$xml_ext_ent =~ s/XXX/$tmp/g; + +my $marc_ext_ent; +eval { + $marc_ext_ent = MARC::Record->new_from_xml($xml_ext_ent); +}; +if ($@) { + like( + $@, + qr/External entities are not supported/, + 'refused to parse MARCXML record containing external entitities' + ); +} else { + fail('should have refused to parse MARCXML record containing external entitities, but did not'); +} marc-xml/lib/MARC/File/XML.pm Diff --- a/marc-xml/lib/MARC/File/XML.pm +++ b/marc-xml/lib/MARC/File/XML.pm @@ -411,7 +411,11 @@ } sub _parser { - $parser ||= XML::LibXML->new(); + $parser ||= XML::LibXML->new( + ext_ent_handler => sub { + die "External entities are not supported\n"; + } + ); return $parser; } @@ -492,7 +496,10 @@ Pass a XML::LibXML parser to MARC::File::XML for it to use. This is optional, meant for use by applications that maintain a shared -parser object. +parser object or which require that external +entities be processed. Note that the latter +is a potential security risk; see +L<https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>. =cut ChangeLog: https://metacpan.org/changes/distribution/MARC-XML Announcements: http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html Thanks, Galen