Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fixed Improper Restriction of XML External Entity Reference #831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fixed Improper Restriction of XML External Entity Reference #831

wants to merge 1 commit into from
+1 −2

Conversation

ptrgits
Copy link

@ptrgits ptrgits commented Aug 8, 2025

fix the XXE vulnerability, we should disable external entity expansion and DTD loading when parsing untrusted XML. In libxml2, this is done by omitting the XML_PARSE_NOENT and XML_PARSE_DTDLOAD flags from the parser options. If DTDs are required for valid XML, use XML_PARSE_DTDATTR or other safer options, but never XML_PARSE_NOENT or XML_PARSE_DTDLOAD on untrusted input. The fix is to change line 384 in src/http/modules/ngx_http_xslt_filter_module.c to remove these flags, leaving only safe options such as XML_PARSE_NOWARNING. If you need to allow DTDs for validation, use XML_PARSE_DTDVALID instead, but do not allow loading external DTDs or entity expansion.

References

XML External Entity (XXE) Processing
XML External Entity Prevention Cheat Sheet
Timothy Morgen: XML Schema, DTD, and Entity Attacks
Timur Yunusov, Alexey Osipov: XML Out-Of-Band Data Retrieval

@ptrgits ptrgits closed this by deleting the head repository Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ptrgits