Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
xplist: Fix limited but possible XXE security vulnerability with XML …
…plists By using a specifically crafted XML file an attacker could use plistutil to issue a GET request to an arbitrary URL or disclose a local file. The crafted XML file would be using a custom DTD with an external entity reference pointing to the file. Practical abuse is limited but let's still fix it nevertheless. Related to CVE-2013-0339 for libxml2 and CWE-827. Reported by Loïc Bénis from calypt.com. Thanks!
- Loading branch information