Closed timretout closed 4 years ago
I think some doc fixes are still required...
Should not be also disabled network access by default, for same security related issues?
merged, thanks.
So network access is still enabled or disabled by default?
I opened a new security issue for it: https://github.com/shlomif/perl-XML-LibXML/issues/43
I think some doc fixes are still required...
I think the doc update required is fixed by #48
This is a first pass at disabling XXE attacks by default, bringing XML::LibXML in line with the libxml2 upstream defaults, which were changed in 2013. The original libxml2 CVEs are here: https://www.openwall.com/lists/oss-security/2013/02/22/3
OWASP cheatsheet on libxml2 usage recommends disabling those options: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxml2
Related XML::LibXML bug: https://rt.cpan.org/Public/Bug/Display.html?id=118032
I have included a test to show that this doesn't affect expansions such as & as mentioned in that bug report.