Closed dwarring closed 4 years ago
I want to look at globally setting the default external entity loader to :!net, and selectively re-enabling when requested for schema loading, ie secure by default (that's the plan anyway).
Err, there's a much more basic problem, which trumps this original ticket. f2e19a0093cf04ad4c06e78da6dd7322085f31f3 purports to disable networking, but doesn't. Compounded by a lack of appropriate testing.
The following is returning 'True', instead of 'False'.
$ perl6 -I . -e'use LibXML; say LibXML.new.network'
Will fix in both the Parser and Schema loader.
Fixed options. Set Schema default to :!network. Released as 0.2.0.
Just following recent activity on Perl 5 XML::LibXML. Github blead has recently disabled network access by default. However this is not enough to disabled the schema validator, fixed with https://github.com/shlomif/perl-XML-LibXML/commit/e29829f5aee40bb2f11cf77b426458abf80e8792
These Raku bindings currently have the same weakness, ie although !net is the default for parser contexts, this is not sufficient to disable Schema network access.