Opened 2 years ago

Closed 20 months ago

#944 closed defect (fixed)

check XXE libxml vulnerability

Reported by: pbaumann Owned by: abadoi
Priority: critical Milestone: 9.2
Component: petascope Version: development
Keywords: Cc: mdumitru, drusu
Complexity: Trivial

Description

check the petascope XML parser against this exploit.
We need to make sure everytime an XML is parsed from an external source an XML parser with resolve_entities=False should be passed:

parser = etree.XMLParser(resolve_entities=False)

etree.fromstring(e, parser)
etree.parse(f, parser)

Change History (7)

comment:1 Changed 2 years ago by pbaumann

  • Owner changed from vmerticariu to vzamfir
  • Status changed from new to assigned

comment:2 Changed 2 years ago by dmisev

  • Milestone changed from 9.1 to 9.2

comment:3 Changed 22 months ago by mdumitru

  • Cc drusu added
  • Owner changed from vzamfir to abadoi

comment:4 follow-up: Changed 21 months ago by dmisev

can we get a status report?

comment:5 in reply to: ↑ 4 Changed 21 months ago by drusu

Replying to dmisev:

can we get a status report?

We added the following into XMLUtil.java:
factory = SAXParserFactory.newInstance();

try{

factory.setFeature(FEATURE_XXE_FALSE, false);

}
catch(Exception e){

If feature does not exist => no XXE support anyway so nothing we need to do

};

I think this should work, but we have a problem while running the petascope project in netbeans. It doesnt want to deploy and i think this is because some properties from petascope were changed while creating the framework for testing ( another task ).
Once we fix the petascope I think it will work.

comment:6 Changed 21 months ago by dmisev

You don't need to deploy petascope in NetBeans?, you can (and you should) just make install it and deploy in Tomcat.

comment:7 Changed 20 months ago by pbaumann

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.