search

RefugeRestrooms / refugerestrooms

REFUGE restrooms indexes and maps safe restroom locations for trans, intersex, and gender nonconforming individuals.
http://www.refugerestrooms.org
GNU Affero General Public License v3.0
894 stars 261 forks source link

Libxml2 #387

Closed iforgotband closed 6 years ago

iforgotband commented 6 years ago

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries it depends on. When handling the expansion of XML external entities (XXE) in libxml2, you can specify documents to be read. Opting into the DTDLOAD option and opting out of the NONET option in Nokogiri allows unknown documents to be loaded from the network. This can be used by attackers to load specially crafted XML documents on an internal XML parsing service and may lead to unauthorized disclosure of potentially sensitive information.

Note: This vulnerability exists also in versions < 1.5.4 regardless of the options opted into or out of. See information here

mi-wood commented 6 years ago

Closing this since we're on nokogiri 1.8.1