[njs] XML: removed XML_PARSE_DTDVALID during a document parsing.

Dmitry Volyntsev xeioex at nginx.com
Thu Mar 2 05:52:57 UTC 2023


details:   https://hg.nginx.org/njs/rev/700f267bd903
branches:  
changeset: 2061:700f267bd903
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Wed Mar 01 21:38:09 2023 -0800
description:
XML: removed XML_PARSE_DTDVALID during a document parsing.

When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external
entities present inside an xml document.  This can lead to all the
classic XXE exploits, including SSRF and local file disclosure.

The issue was introduced in 99b9f83e4d4d (0.7.10).

Thanks to @BitK_.

diffstat:

 external/njs_xml_module.c             |   3 +--
 test/xml/external_entity_ignored.t.js |  18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diffs (35 lines):

diff -r 7197f860de2f -r 700f267bd903 external/njs_xml_module.c
--- a/external/njs_xml_module.c	Tue Feb 28 20:34:38 2023 -0800
+++ b/external/njs_xml_module.c	Wed Mar 01 21:38:09 2023 -0800
@@ -432,8 +432,7 @@ njs_xml_ext_parse(njs_vm_t *vm, njs_valu
     }
 
     tree->doc = xmlCtxtReadMemory(tree->ctx, (char *) data.start, data.length,
-                                  NULL, NULL, XML_PARSE_DTDVALID
-                                              | XML_PARSE_NOWARNING
+                                  NULL, NULL, XML_PARSE_NOWARNING
                                               | XML_PARSE_NOERROR);
     if (njs_slow_path(tree->doc == NULL)) {
         njs_xml_error(vm, tree, "failed to parse XML");
diff -r 7197f860de2f -r 700f267bd903 test/xml/external_entity_ignored.t.js
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/xml/external_entity_ignored.t.js	Wed Mar 01 21:38:09 2023 -0800
@@ -0,0 +1,18 @@
+/*---
+includes: [compatXml.js, compatNjs.js]
+flags: []
+paths: []
+---*/
+
+let data = `<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY c PUBLIC "bar" "extern_entity.txt">
+]>
+<root>&c;</root>
+`;
+
+if (has_njs()) {
+    const xml = require('xml');
+    let doc = xml.parse(data);
+    assert.sameValue(doc.$root.$text, "");
+}


More information about the nginx-devel mailing list