Configure parser factories to prevent XXE attacks #10
Conversation
|
I'm not knowledgeable enough about how XML is used when it comes to DTDs, schemas etc., but I'm afraid that this is too simple. At least when it comes to UPnP my tests indicate that DTDs can't simply by disabled, that it breaks UPnP. How well have the consequences of this been tested? |
|
@Nadahar I haven't tested downstream, I stumbled upon the ticket. If DTDs are required for UPnP, then the example code on the cheat sheet gives some external resources in comments about other problems to look for. |
|
The tests should cover this well. However except running tests I've only started the Workbench and clicked on a few devices and executed a few actions to verify this fix, nothing more. |
|
It has not fixed the XXE security issue: |
Fix for #9 based on the OWASP Cheat Sheet
I attempted a test for
DOMParserbut even without the changes the parser would fail with aParserException, its unclear to me whether it was an error in my hamfisted XHTML or the parser as it exists wouldn't have been vulnerable to an XXE.