You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The change #39 about load_ext_dtd introduced an unexpected issue, with possible security implications: when one sets validation to 1 without also setting load_ext_dtd to 1, the document is always regarded as valid.
It is probable that existing scripts that set validation to 1 do not explicitly set load_ext_dtd to 1, because 1 was the default and also because it is rather obvious that if the user wants validation, he also wants to load the DTD, which is needed for the validation. So this silently breaks validation. This may have security implications as validation can normally be used to check that input from untrusted source does not contain unexpected contents (e.g. contents that is likely to yield data injection).
#!/usr/bin/env perl
# Update the xhtml directory.
use strict;
use XML::LibXML;
my $s = <<EOF;
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root SYSTEM "does-not-exist.dtd">
<root/>
EOF
my $parser = XML::LibXML->new();
$parser->validation(1);
my $doc = $parser->parse_string($s);
Before the change of the load_ext_dtd default value, the fact that the DTD could not be loaded was properly reported, with a fatal error:
:2: I/O error : failed to load external entity "does-not-exist.dtd"
<!DOCTYPE root SYSTEM "does-not-exist.dtd">
^
:3: validity error : Validation failed: no DTD found !
<root/>
^
The text was updated successfully, but these errors were encountered:
The change #39 about
load_ext_dtd
introduced an unexpected issue, with possible security implications: when one sets validation to 1 without also settingload_ext_dtd
to 1, the document is always regarded as valid.It is probable that existing scripts that set validation to 1 do not explicitly set
load_ext_dtd
to 1, because 1 was the default and also because it is rather obvious that if the user wants validation, he also wants to load the DTD, which is needed for the validation. So this silently breaks validation. This may have security implications as validation can normally be used to check that input from untrusted source does not contain unexpected contents (e.g. contents that is likely to yield data injection).See for instance: https://cwe.mitre.org/data/definitions/112.html
Example:
Before the change of the
load_ext_dtd
default value, the fact that the DTD could not be loaded was properly reported, with a fatal error:The text was updated successfully, but these errors were encountered: