Currently, CFPropertyList processes external URL entities in plists. This can lead to third party attacks: a PLIST is provided that references an external URL, causing CFPropertyList to contact the host of the URL to download its contents and include it in the XML.
This merge request extends the spirit of the NOENT parser option by adding NONET as well.
Currently, CFPropertyList processes external URL entities in plists. This can lead to third party attacks: a PLIST is provided that references an external URL, causing CFPropertyList to contact the host of the URL to download its contents and include it in the XML.
This merge request extends the spirit of the
NOENT
parser option by addingNONET
as well.More information about this type of vulnerability is available at https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing