Reject `PROPFIND` requests with external entities with a `no-external-entities` precondition

dandi / dandidav

WebDAV view to DANDI Archive

MIT License

4 stars 2 forks source link

Reject `PROPFIND` requests with external entities with a `no-external-entities` precondition #36

Open jwodder opened 10 months ago

jwodder commented 10 months ago

RFC 4918 requires that when a PROPFIND request contains any XML external entities and the server rejects it as a result, the rejection should be a 403 response of the form:

<?xml version="1.0" encoding="utf-8"?>
<error xmlns="DAV:">
    <no-external-entities />
</error>

yarikoptic commented 9 months ago

did we encounter any of such, e.g. as triggered by rclone or some other FUSE system?

jwodder commented 9 months ago

@yarikoptic I don't believe so. The only clients that would ever send bodies with external entities would be malicious. At the moment, it seems that the xml-rs library that dandidav uses for parsing XML simply ignores any external entities.