Skip to content

Commit c086cb1

Browse files
committed
xplist: Fix limited but possible XXE security vulnerability with XML plists
By using a specifically crafted XML file an attacker could use plistutil to issue a GET request to an arbitrary URL or disclose a local file. The crafted XML file would be using a custom DTD with an external entity reference pointing to the file. Practical abuse is limited but let's still fix it nevertheless. Related to CVE-2013-0339 for libxml2 and CWE-827. Reported by Loïc Bénis from calypt.com. Thanks!
1 parent 82a6acc commit c086cb1

File tree

1 file changed

+16
-4
lines changed

1 file changed

+16
-4
lines changed

Diff for: src/xplist.c

+16-4
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
#include <inttypes.h>
3030
#include <locale.h>
3131

32+
#include <libxml/xmlIO.h>
3233
#include <libxml/parser.h>
3334
#include <libxml/tree.h>
3435

@@ -555,11 +556,22 @@ PLIST_API void plist_to_xml(plist_t plist, char **plist_xml, uint32_t * length)
555556
}
556557
}
557558

559+
static xmlParserInputPtr plist_xml_external_entity_loader(const char *URL, const char *ID, xmlParserCtxtPtr ctxt)
560+
{
561+
return NULL;
562+
}
563+
558564
PLIST_API void plist_from_xml(const char *plist_xml, uint32_t length, plist_t * plist)
559565
{
560-
xmlDocPtr plist_doc = xmlParseMemory(plist_xml, length);
561-
xmlNodePtr root_node = xmlDocGetRootElement(plist_doc);
566+
/* CVE-2013-0339: disable external entity loading to prevent XXE vulnerability */
567+
xmlSetExternalEntityLoader(plist_xml_external_entity_loader);
562568

563-
xml_to_node(root_node, plist);
564-
xmlFreeDoc(plist_doc);
569+
/* read XML from memory and disable network access for security reasons */
570+
xmlDocPtr plist_doc = xmlReadMemory(plist_xml, length, "plist_from_xml:memory", NULL, XML_PARSE_NONET);
571+
if (plist_doc) {
572+
xmlNodePtr root_node = xmlDocGetRootElement(plist_doc);
573+
574+
xml_to_node(root_node, plist);
575+
xmlFreeDoc(plist_doc);
576+
}
565577
}

0 commit comments

Comments
 (0)