search

lab-measurement / Lab-Measurement

Lab::Measurement allows to perform test and measurement tasks with Perl scripts.
https://www.labmeasurement.de/
Other
10 stars 11 forks source link

Possible SEC fixes needed for XML-Twig CVE-2016-9180 #9

Closed kentfredric closed 7 years ago

kentfredric commented 7 years ago

XML::Twig 3.50 has a new option to ->new() , "no_xxe" to avoid problems with CVE-2016-9180 ( https://rt.cpan.org/Ticket/Display.html?id=118097 )

https://metacpan.org/pod/release/MIROD/XML-Twig-3.52/Twig.pm#no_xxe

If Lab::Data::XMLtree does not explicitly need XXE support anywhere, turning this option might be advised.

Especially so if source XML might come from untrusted sources.

https://github.com/lab-measurement/lab-measurement/blob/5b000dae6d83b9a3022f8cd9b7d04e50ca77cc57/Measurement/lib/Lab/Data/XMLtree.pm#L131-L146

my $t = XML::Twig->new(
  pretty_print => 'indented',
  keep_encoding => 1,
);
$t->parse(
  join "",
  $generator->xmldecl( encoding => 'ISO-8859-1' ),
  $generator->$rootname(
   @{
     _write_node_list(
        $generator, $self->{___declaration}, $data
     )
    }
  ),
);

https://bugs.gentoo.org/show_bug.cgi?id=600840 https://bugs.gentoo.org/show_bug.cgi?id=598764

amba commented 7 years ago

Thanks for the report!

Closing this issue, as Lab::Data::XMLtree is already deprecated, unused and will be removed soon.