search

BaseXdb / basex

BaseX Main Repository.
http://basex.org
BSD 3-Clause "New" or "Revised" License
678 stars 268 forks source link

Fix XXE vulnerability in XmlParser.java #2155

Closed sudosammy closed 1 year ago

sudosammy commented 1 year ago

Thanks for your effort maintaining this library :)

In version 9.1 this method was added which cannot be configured safely to prevent XXE.

Regardless of the configured dtd bool, without control over the external-general-entities feature, external DTDs are evaluated leading to exploitation.

By my understanding of the library a user passing false to the dtd parameter would not want/expect external DTDs to be evaluated, therefore allowing the feature flag to be controlled by this method resolves the issue.

ChristianGruen commented 1 year ago

Completely true; thanks for the fix.