Don't allow external entities to be injected

Bump LibXML to 1.70 (because we need to specify %param to new() and LibXML changed that method signature in a recent version)
yannk · Jun 13, 2011 · eda00fa · eda00fa
1 parent 48054e7
commit eda00fa
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/Makefile.PL b/Makefile.PL
@@ -2,7 +2,7 @@ use inc::Module::Install;
 name 'RPC-XML-Parser-LibXML';
 all_from 'lib/RPC/XML/Parser/LibXML.pm';
 
-requires 'XML::LibXML';
+requires 'XML::LibXML' => 1.70;
 requires 'RPC::XML' => 0.73;
 requires 'Carp';
 requires 'Encode';

diff --git a/lib/RPC/XML/Parser/LibXML.pm b/lib/RPC/XML/Parser/LibXML.pm
@@ -25,7 +25,13 @@ my $value_xpath = join "|", map "./$_", qw( int i4 boolean string double dateTim
 sub parse_rpc_xml {
     my $xml = shift;
 
-    my $x = XML::LibXML->new;
+    my $x = XML::LibXML->new({
+        no_network => 1,
+        expand_xinclude => 0,
+        expand_entities => 1,
+        load_ext_dtd => 0,
+        ext_ent_handler => sub { warn "External entities disabled."; '' },
+    });
     my $doc = $x->parse_string($xml)->documentElement;
 
     if ($doc->findnodes('/methodCall')) {

diff --git a/t/RPC-XML-Parser-LibXML.t b/t/RPC-XML-Parser-LibXML.t
@@ -5,7 +5,7 @@
 
 # change 'tests => 1' to 'tests => last_test_to_print';
 
-use Test::More tests => 28;
+use Test::More tests => 30;
 BEGIN { use_ok('RPC::XML::Parser::LibXML') };
 
 use RPC::XML;
@@ -436,3 +436,49 @@ XML
     is $r->{args}->[3]->{description}->value, 'desc';
     is_deeply $r->{args}->[4], [ map RPC::XML::string->new($_), qw( foo bar ) ];
 }
+
+## Don't allow external entities
+{
+    my $r = eval { RPC::XML::Parser::LibXML::parse_rpc_xml(<<XML);
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+    <!ENTITY foo SYSTEM "file:///etc/passwd">
+]>
+<methodCall>
+ <methodName>metaWeblog.newPost</methodName>
+ <params>
+  <param>
+   <value>entity:[&foo;]</value>
+  </param>
+  <param>
+   <value><string>**ACCOUNTNAME**</string></value>
+  </param>
+  <param>
+   <value><string>**PASSWORD**</string></value>
+  </param>
+  <param>
+   <value>
+    <struct>
+     <member><name>title</name><value>test</value></member>
+     <member><name>description</name><value><string>desc</string></value></member>
+    </struct>
+   </value>
+  </param>
+  <param>
+   <value>
+    <array>
+     <data>
+      <value>foo</value>
+      <value><string>$lt;</string></value>
+     </data>
+    </array>
+   </value>
+  </param>
+ </params>
+</methodCall>
+XML
+    };
+
+    ok !$@, "We didn't die...";
+    is $r->{args}->[0]->value, 'entity:[]', "...but entities were ignored";
+}