86 lines
2.5 KiB
Diff
86 lines
2.5 KiB
Diff
Description: Update documentation for XML::Twig.
|
|
Mention problems with expand_external_ents and add
|
|
information about new no_xxe argument.
|
|
.
|
|
Additionally add tests for both expand_external_ents and no_xxe.
|
|
Origin: vendor
|
|
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
|
|
Bug-Debian: https://bugs.debian.org/842893
|
|
Author: gregor herrmann <gregoa@debian.org>
|
|
Last-Update: 2019-03-30
|
|
|
|
--- a/Twig_pm.slow
|
|
+++ b/Twig_pm.slow
|
|
@@ -10454,6 +10454,15 @@
|
|
pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
|
|
cases.
|
|
|
|
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
|
|
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
|
|
+To completely turn off expanding external entities use C<no_xxe>.
|
|
+
|
|
+=item no_xxe
|
|
+
|
|
+If this argument is set to a true value, expanding of external entities is
|
|
+turned off.
|
|
+
|
|
=item load_DTD
|
|
|
|
If this argument is set to a true value, C<parse> or C<parsefile> on the twig
|
|
--- /dev/null
|
|
+++ b/t/CVE-2016-9180.t
|
|
@@ -0,0 +1,41 @@
|
|
+#!/usr/bin/perl
|
|
+
|
|
+use strict;
|
|
+use warnings;
|
|
+use Test::More;
|
|
+use Test::Exception;
|
|
+
|
|
+BEGIN { use_ok('XML::Twig'); }
|
|
+
|
|
+my $twig = XML::Twig->new( expand_external_ents => 1 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+my $result = $twig->sprint;
|
|
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
|
|
+
|
|
+TODO: {
|
|
+ local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
|
|
+
|
|
+$twig = XML::Twig->new( expand_external_ents => 0 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+$result = $twig->sprint;
|
|
+unlike( $result, qr/Boom/,
|
|
+ 'external entity not expanded (expand_external_ents 0)' );
|
|
+
|
|
+$twig = XML::Twig->new( expand_external_ents => -1 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+$result = $twig->sprint;
|
|
+unlike( $result, qr/Boom/,
|
|
+ 'external entity not expanded and no fail (expand_external_ents -1)' );
|
|
+
|
|
+}
|
|
+
|
|
+$twig = XML::Twig->new( no_xxe => 1 );
|
|
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
|
|
+ 'external entity not expanded (no_xxe 1)';
|
|
+
|
|
+$twig = XML::Twig->new( no_xxe => 0 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+$result = $twig->sprint;
|
|
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
|
|
+
|
|
+done_testing();
|
|
--- /dev/null
|
|
+++ b/t/CVE-2016-9180.txt
|
|
@@ -0,0 +1 @@
|
|
+Boom
|
|
--- /dev/null
|
|
+++ b/t/CVE-2016-9180.xml
|
|
@@ -0,0 +1,5 @@
|
|
+<?xml version="1.0"?>
|
|
+<!DOCTYPE foo [
|
|
+ <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
|
|
+]>
|
|
+<root>&xxe;</root>
|