Protect XML parsing against XXE attacks and load DTD from JAR #26
Conversation
solind
commented
Oct 5, 2016
solind
commented
- Take steps to guard against XXE attacks (note that <!DOCTYPE> cannot be disabled in XML plists). See: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
- Resolve the actual PLIST DTD from inside the JAR file itself, and prevent resolution of other external XML resources.
- Make XMLPlistParser.getDocBuilder public.
…t <!DOCTYPE> cannot be disabled in XML plists). 2) Resolve the actual PLIST DTD from inside the JAR file itself, and prevent resolution of other external XML resources. 3) Make XMLPlistParser.getDocBuilder public
|
First of all, I greatly appreciate your effort to make this library more secure. Regarding 1) The code, especially setting the features, needs to be tested under Android because it uses a different DocumentBuilder implementation than the Oracle JRE. And so far this library has remained Android compatible. Have you done this? Regarding 2) I would not redistribute the DTD which originates from http://www.apple.com/DTDs/PropertyList-1.0.dtd and thus may be copyrighted by Apple Inc. As DTD validation is anyway disabled I see no reason to change that behavior. Or does this in any way compromise the fix against XXE attacks? |
|
Fair enough, I haven't tested whether these properties work on Android. I could wrap each in a try/catch block in case they're not supported. And I understand your copyright concern, I guess it's not strictly necessary to have there anyway unless one wants to validate the XML document. I'll update this PR. |
|
Sounds good, thanks! |
3breadt
changed the title
