New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent XXE when loading circuit files #139

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@kvakil
Copy link

kvakil commented Nov 6, 2017

This prevents issues with XXE (XML external entity) processing,
particularly for untrusted circuit files. This is potentially dangerous,
since it lets an attacker with a crafted circuit file to read files from
a user's system. I have verified that it is possible to create a circuit
file which does this. With this patch, an error message is displayed
instead of XXE occurring.

Some examples of XXE are available on on OWASP.

This patch doesn't make any breaking changes with existing circuit
files, it only prevents loading malicious circuit files.

Force secure processing for loading circuit files
This prevents issues with XXE (XML external entity) processing,
particularly for untrusted circuit files.
@maehne

maehne approved these changes Nov 7, 2017

Copy link
Contributor

maehne left a comment

Looks good to me!

BFH-ktt1 added a commit that referenced this pull request Nov 8, 2017

@BFH-ktt1

This comment has been minimized.

Copy link
Collaborator

BFH-ktt1 commented Nov 8, 2017

Merged in scaling_resolution_wip branch

@kvakil kvakil deleted the kvakil:xxe-security branch Dec 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment