Closed kentfredric closed 7 years ago
XML::Twig 3.50 has a new option to ->new() , "no_xxe" to avoid problems with CVE-2016-9180 ( https://rt.cpan.org/Ticket/Display.html?id=118097 )
https://metacpan.org/pod/release/MIROD/XML-Twig-3.52/Twig.pm#no_xxe
If Lab::Data::XMLtree does not explicitly need XXE support anywhere, turning this option might be advised.
Lab::Data::XMLtree
Especially so if source XML might come from untrusted sources.
https://github.com/lab-measurement/lab-measurement/blob/5b000dae6d83b9a3022f8cd9b7d04e50ca77cc57/Measurement/lib/Lab/Data/XMLtree.pm#L131-L146
my $t = XML::Twig->new( pretty_print => 'indented', keep_encoding => 1, ); $t->parse( join "", $generator->xmldecl( encoding => 'ISO-8859-1' ), $generator->$rootname( @{ _write_node_list( $generator, $self->{___declaration}, $data ) } ), );
https://bugs.gentoo.org/show_bug.cgi?id=600840 https://bugs.gentoo.org/show_bug.cgi?id=598764
Thanks for the report!
Closing this issue, as Lab::Data::XMLtree is already deprecated, unused and will be removed soon.
XML::Twig 3.50 has a new option to ->new() , "no_xxe" to avoid problems with CVE-2016-9180 ( https://rt.cpan.org/Ticket/Display.html?id=118097 )
https://metacpan.org/pod/release/MIROD/XML-Twig-3.52/Twig.pm#no_xxe
If
Lab::Data::XMLtree
does not explicitly need XXE support anywhere, turning this option might be advised.Especially so if source XML might come from untrusted sources.
https://github.com/lab-measurement/lab-measurement/blob/5b000dae6d83b9a3022f8cd9b7d04e50ca77cc57/Measurement/lib/Lab/Data/XMLtree.pm#L131-L146
https://bugs.gentoo.org/show_bug.cgi?id=600840 https://bugs.gentoo.org/show_bug.cgi?id=598764