xmerl allows XXE by default #7539
Comments
|
Alternatively it should at least be documented, for example: diff --git a/lib/xmerl/src/xmerl_scan.erl b/lib/xmerl/src/xmerl_scan.erl
index 62b5dd8..77c7b9a 100644
--- a/lib/xmerl/src/xmerl_scan.erl
+++ b/lib/xmerl/src/xmerl_scan.erl
@@ -36,6 +36,12 @@
%% functions.
%% </p>
%% <p>
+%% <strong>Warning:</strong> By default XML entities, including external ones
+%% are loaded, this can lead to XML External Entity (XXE) vulnerabilities if
+%% you're parsing untrusted XML.<br />
+%% To avoid this you need to pass <code>{allow_entities, False}</code>.
+%% </p>
+%% <p>
%% Possible options are:
%% </p>
%% <dl>(My example might not be right, I write Elixir code rather than Erlang) |
|
We are discussing internally if we could change the defaults. The main issue is (as always) breaking backwards compatibility. |
|
@feld we are looking into solving this, possibly by changing the default as |
|
Same as before. We are working on it, slowly but steady considering options and fixes, to break backwards compatibility as little as possible. If you have any suggestions, please bring them on :) |
…OTP-19079
Xmerl: Changed default values to disable XXE vulnerabilities
xmerl_scan: default value for allow_entities is now 'false'
xmerl_sax_parser: default value for external_entities is now 'none'
|
The default values are changed to avoid XML External Entity (XXE) vulnerabilities if one are parsing untrusted XML. |
Hello,
xmerl is possibly the most mature XML parsing library in the Erlang ecosystem, but unfortunately it permits XXE vulnerabilities by default. Can this be disabled so everyone writing XML parsing code doesn't have to provide a custom
fetch_funforxmerl_scanor setting{allow_entities, False}to close the security hole?This also affects some downstream consumers, including some wrappers for Elixir
https://vuln.be/post/xxe-in-erlang-and-elixir/
The text was updated successfully, but these errors were encountered: