XML XXE

discuss-gnustep

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XML XXE

From:	Ivan Vučica
Subject:	XML XXE
Date:	Fri, 11 Apr 2014 13:46:31 +0000

Just pinging in case our NSXMLDocument implementation is vulnerable to XML XXE.

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

libxml2 after 2.9 has this disabled by default.

On iOS (and presumably OS X) one is safe only by specifying NSXMLNodeLoadExternalEntitiesNever.

I can't check right now, but if GNUstep does behave the same way as OS X/iOS, anyone writing network services and using GNUstep's NSXMLDocument may want to check that they are safe.

[Prev in Thread]

Current Thread

[Next in Thread]

XML XXE, Ivan Vučica <=
- Re: XML XXE, Fred Kiefer, 2014/04/11

Prev by Date: Re: New experimental grid view for GNUstep software index
Next by Date: Re: Chromium embedded, a shortcut for webkit?
Previous by thread: Some thoughts on recent Xcode versions
Next by thread: Re: XML XXE
Index(es):
- Date
- Thread