Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
perl-XML-Twig
perl-XML-Twig-CVE-2016-9180.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File perl-XML-Twig-CVE-2016-9180.patch of Package perl-XML-Twig
Description: Update documentation for XML::Twig. Mention problems with expand_external_ents and add information about new no_xxe argument. . Additionally add tests for both expand_external_ents and no_xxe. Origin: vendor Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097 Bug-Debian: https://bugs.debian.org/842893 Author: gregor herrmann <gregoa@debian.org> Last-Update: 2019-03-30 --- a/Twig_pm.slow +++ b/Twig_pm.slow @@ -10454,6 +10454,15 @@ pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some cases. +B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work +as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>. +To completely turn off expanding external entities use C<no_xxe>. + +=item no_xxe + +If this argument is set to a true value, expanding of external entities is +turned off. + =item load_DTD If this argument is set to a true value, C<parse> or C<parsefile> on the twig --- /dev/null +++ b/t/CVE-2016-9180.t @@ -0,0 +1,41 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; +use Test::Exception; + +BEGIN { use_ok('XML::Twig'); } + +my $twig = XML::Twig->new( expand_external_ents => 1 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +my $result = $twig->sprint; +like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' ); + +TODO: { + local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097'; + +$twig = XML::Twig->new( expand_external_ents => 0 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +$result = $twig->sprint; +unlike( $result, qr/Boom/, + 'external entity not expanded (expand_external_ents 0)' ); + +$twig = XML::Twig->new( expand_external_ents => -1 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +$result = $twig->sprint; +unlike( $result, qr/Boom/, + 'external entity not expanded and no fail (expand_external_ents -1)' ); + +} + +$twig = XML::Twig->new( no_xxe => 1 ); +throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/, + 'external entity not expanded (no_xxe 1)'; + +$twig = XML::Twig->new( no_xxe => 0 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +$result = $twig->sprint; +like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' ); + +done_testing(); --- /dev/null +++ b/t/CVE-2016-9180.txt @@ -0,0 +1 @@ +Boom --- /dev/null +++ b/t/CVE-2016-9180.xml @@ -0,0 +1,5 @@ +<?xml version="1.0"?> +<!DOCTYPE foo [ + <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt"> +]> +<root>&xxe;</root>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor