It was found that XML::LibXML is vulnerable to XXE attack as it has enabled external entity loading by default.
Created perl-libxml-perl tracking bugs for this issue:
Affects: fedora-all [bug 1377997]
(In reply to Adam Mariš from comment #1)
> Created perl-libxml-perl tracking bugs for this issue:
> Affects: fedora-all [bug 1377997]
Thant's wrong component. The Debian bug is about <http://search.cpan.org/~shlomif/XML-LibXML-2.0116/> that is packaged as libxml-libxml-perl in Debian and as perl-XML-LibXML in Fedora.
I forwarded the request for changing default behavior to the LibXML-XML upstream <https://rt.cpan.org/Public/Bug/Display.html?id=118032>.
Created attachment 1203692 [details]
This reveals /etc/passwd content. Fixed Perl should not allow that if loading (external) entities was not requested explicitly.
Programs and libraries using XML::LibXML can disable this behaviour by
passing `expand_entities => 0` to the constructor XML::LibXML->new().
Created attachment 1206227 [details]
Yes, but that disables expanding internal entities too. This is unacceptable. I think XML::LibXML or libxml2 is missing a knob that affects external entities only.
Attached script accepts an optional argument and pass it as expand_entities option value if exists. If you execute it with "0", it also disabled expanding the internal entity. And I think this is wrong.
Created attachment 1206255 [details]
Disable entitiy expansion
Proposed fix that disables entity expansion by default. It affects both external and internal entities.
It still allows to load external DTD.
Created attachment 1232169 [details]
I attached wrong file. This is the correct parametrized reproducer that exhibits various types of entities.
XML-LibXML upstream stopped enabling expansion of DTD-defined entities in <https://github.com/shlomif/perl-XML-LibXML/commit/ff99d94a5186fecf90b88379755434739550b5a9> commit and released 2.0202 version. The reproduced now prints:
<!DOCTYPE foo [
<!ENTITY c PUBLIC "bar" "/etc/passwd">
<!ENTITY i "ivalue">
Since it also affects entities defined in the internal DTD, I do not recommend applying the patch to stable distributions.