Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent XXE when loading circuit files #139

Closed
wants to merge 1 commit into from

Conversation

@kvakil
Copy link

@kvakil kvakil commented Nov 6, 2017

This prevents issues with XXE (XML external entity) processing,
particularly for untrusted circuit files. This is potentially dangerous,
since it lets an attacker with a crafted circuit file to read files from
a user's system. I have verified that it is possible to create a circuit
file which does this. With this patch, an error message is displayed
instead of XXE occurring.

Some examples of XXE are available on on OWASP.

This patch doesn't make any breaking changes with existing circuit
files, it only prevents loading malicious circuit files.

This prevents issues with XXE (XML external entity) processing,
particularly for untrusted circuit files.
@maehne
maehne approved these changes Nov 7, 2017
Copy link
Contributor

@maehne maehne left a comment

Looks good to me!

BFH-ktt1 added a commit that referenced this pull request Nov 8, 2017
@BFH-ktt1
Copy link
Collaborator

@BFH-ktt1 BFH-ktt1 commented Nov 8, 2017

Merged in scaling_resolution_wip branch

@kvakil kvakil deleted the kvakil:xxe-security branch Dec 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants