search

PublicaMundi / ckanext-publicamundi

PublicaMundi main CKAN extension
http://publicamundi.eu
Other
13 stars 12 forks source link

Protect against XXE libxml vulnerability #155

Closed drmalex07 closed 9 years ago

drmalex07 commented 9 years ago

Ensure no external (XXE) entities are resolved while parsing XML streams

smanousopoulos commented 9 years ago

We need to make sure everytime an XML is parsed from an external source an XML parser with resolve_entities=False should be passed

parser = etree.XMLParser(resolve_entities=False)

etree.fromstring(e, parser) etree.parse(f, parser)

drmalex07 commented 9 years ago

Fixed. Tested against common injection payloads