Closed Bug 883807 Opened 11 years ago Closed 11 years ago

Snippets service XML validator should not resolve XML external entities

Categories

(Snippets :: Service, defect)

Product:
Snippets
Component:
Service
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: freddy, Assigned: giorgos)

References

Details

(Keywords: sec-moderate, wsec-injection)

Attachments

(1 file)

patch for the entity issue
1.06 KB, patch
giorgos
: review+
Details | Diff | Splinter Review 
Even though the enclosing <div> tags might prevent most problems, the default settings of the python xml sax parser does resolve XML External Entities.
This might resolve in DoS or a data leakage.

This document from OWASP explains the problem in a longer fashion: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

I recommend disabling this feature from the parser. A patch (git diff) has been attached and is waiting for review :)
Attachment #763490 - Flags: review?(giorgos)
Assignee: nobody → giorgos
Status: NEW → ASSIGNED
Thanks for reporting Freddy!

Fixed https://github.com/mozilla/snippets-service/commit/2e81de81fbb6f56a179f3cff43c6af254ee92715
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attachment #763490 - Flags: review?(giorgos) → review+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: