|
 |
dd8e7b |
diff -uPr xmlsec1-1.2.20/apps/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c
|
|
|
dd8e7b |
--- xmlsec1-1.2.20/apps/xmlsec.c 2017-08-09 12:45:45.246669522 -0400
|
|
|
dd8e7b |
+++ xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c 2017-07-18 12:21:59.554749331 -0400
|
|
|
dd8e7b |
@@ -528,6 +528,19 @@
|
|
|
dd8e7b |
NULL
|
|
|
dd8e7b |
};
|
|
|
dd8e7b |
|
|
|
dd8e7b |
+static xmlSecAppCmdLineParam xxeParam = {
|
|
|
dd8e7b |
+ xmlSecAppCmdLineTopicAll,
|
|
|
dd8e7b |
+ "--xxe",
|
|
|
dd8e7b |
+ NULL,
|
|
|
dd8e7b |
+ "--xxe"
|
|
|
dd8e7b |
+ "\n\tenable External Entity resolution."
|
|
|
dd8e7b |
+ "\n\tWARNING: this may allow the reading of arbitrary files and URLs,"
|
|
|
dd8e7b |
+ "\n\tcontrolled by the input XML document. Use with caution!",
|
|
|
dd8e7b |
+ xmlSecAppCmdLineParamTypeFlag,
|
|
|
dd8e7b |
+ xmlSecAppCmdLineParamFlagNone,
|
|
|
dd8e7b |
+ NULL
|
|
|
dd8e7b |
+};
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
|
|
|
dd8e7b |
/****************************************************************
|
|
|
dd8e7b |
*
|
|
|
dd8e7b |
@@ -904,6 +917,7 @@
|
|
|
dd8e7b |
&disableErrorMsgsParam,
|
|
|
dd8e7b |
&printCryptoErrorMsgsParam,
|
|
|
dd8e7b |
&helpParam,
|
|
|
dd8e7b |
+ &xxeParam,
|
|
|
dd8e7b |
|
|
|
dd8e7b |
/* MUST be the last one */
|
|
|
dd8e7b |
NULL
|
|
|
dd8e7b |
@@ -1087,6 +1101,11 @@
|
|
|
dd8e7b |
goto fail;
|
|
|
dd8e7b |
}
|
|
|
dd8e7b |
|
|
|
dd8e7b |
+ /* enable XXE? */
|
|
|
dd8e7b |
+ if(xmlSecAppCmdLineParamIsSet(&xxeParam)) {
|
|
|
dd8e7b |
+ xmlSecSetExternalEntityLoader( NULL ); // reset to libxml2's default handler
|
|
|
dd8e7b |
+ }
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
/* get the "repeats" number */
|
|
|
dd8e7b |
if(xmlSecAppCmdLineParamIsSet(&repeatParam) &&
|
|
|
dd8e7b |
(xmlSecAppCmdLineParamGetInt(&repeatParam, 1) > 0)) {
|
|
|
dd8e7b |
diff -uPr xmlsec1-1.2.20/include/xmlsec/xmlsec.h xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h
|
|
|
dd8e7b |
--- xmlsec1-1.2.20/include/xmlsec/xmlsec.h 2014-05-27 14:29:01.000000000 -0400
|
|
|
dd8e7b |
+++ xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h 2017-07-18 12:21:59.555749324 -0400
|
|
|
dd8e7b |
@@ -89,6 +89,7 @@
|
|
|
dd8e7b |
|
|
|
dd8e7b |
XMLSEC_EXPORT int xmlSecInit (void);
|
|
|
dd8e7b |
XMLSEC_EXPORT int xmlSecShutdown (void);
|
|
|
dd8e7b |
+XMLSEC_EXPORT void xmlSecSetExternalEntityLoader (xmlExternalEntityLoader);
|
|
|
dd8e7b |
|
|
|
dd8e7b |
|
|
|
dd8e7b |
|
|
|
dd8e7b |
diff -uPr xmlsec1-1.2.20/src/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c
|
|
|
dd8e7b |
--- xmlsec1-1.2.20/src/xmlsec.c 2014-05-27 14:29:01.000000000 -0400
|
|
|
dd8e7b |
+++ xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c 2017-08-09 12:44:03.386416274 -0400
|
|
|
dd8e7b |
@@ -25,6 +25,56 @@
|
|
|
dd8e7b |
#include <xmlsec/errors.h>
|
|
|
dd8e7b |
|
|
|
dd8e7b |
/**
|
|
|
dd8e7b |
+ * Custom external entity handler, denies all files except the initial
|
|
|
dd8e7b |
+ * document we're parsing (input_id == 1)
|
|
|
dd8e7b |
+ */
|
|
|
dd8e7b |
+/* default external entity loader, pointer saved during xmlInit */
|
|
|
dd8e7b |
+static xmlExternalEntityLoader
|
|
|
dd8e7b |
+xmlSecDefaultExternalEntityLoader = NULL;
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
+/*
|
|
|
dd8e7b |
+ * xmlSecNoXxeExternalEntityLoader:
|
|
|
dd8e7b |
+ * @URL: the URL for the entity to load
|
|
|
dd8e7b |
+ * @ID: public ID for the entity to load
|
|
|
dd8e7b |
+ * @ctxt: XML parser context, or NULL
|
|
|
dd8e7b |
+ *
|
|
|
dd8e7b |
+ * See libxml2's xmlLoadExternalEntity and xmlNoNetExternalEntityLoader.
|
|
|
dd8e7b |
+ * This function prevents any external (file or network) entities from being loaded.
|
|
|
dd8e7b |
+ */
|
|
|
dd8e7b |
+static xmlParserInputPtr
|
|
|
dd8e7b |
+xmlSecNoXxeExternalEntityLoader(const char *URL, const char *ID,
|
|
|
dd8e7b |
+ xmlParserCtxtPtr ctxt) {
|
|
|
dd8e7b |
+ if (ctxt == NULL) {
|
|
|
dd8e7b |
+ return(NULL);
|
|
|
dd8e7b |
+ }
|
|
|
dd8e7b |
+ if (ctxt->input_id == 1) {
|
|
|
dd8e7b |
+ return xmlSecDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
|
|
|
dd8e7b |
+ }
|
|
|
dd8e7b |
+ xmlSecError(XMLSEC_ERRORS_HERE,
|
|
|
dd8e7b |
+ NULL,
|
|
|
dd8e7b |
+ "xmlSecNoXxeExternalEntityLoader",
|
|
|
dd8e7b |
+ XMLSEC_ERRORS_R_XML_FAILED,
|
|
|
dd8e7b |
+ "illegal external entity='%s'", xmlSecErrorsSafeString(URL));
|
|
|
dd8e7b |
+ return(NULL);
|
|
|
dd8e7b |
+}
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
+/*
|
|
|
dd8e7b |
+ * xmlSecSetExternalEntityLoader:
|
|
|
dd8e7b |
+ * @entityLoader: the new entity resolver function, or NULL to restore
|
|
|
dd8e7b |
+ * libxml2's default handler
|
|
|
dd8e7b |
+ *
|
|
|
dd8e7b |
+ * Wrapper for xmlSetExternalEntityLoader.
|
|
|
dd8e7b |
+ */
|
|
|
dd8e7b |
+void
|
|
|
dd8e7b |
+xmlSecSetExternalEntityLoader(xmlExternalEntityLoader entityLoader) {
|
|
|
dd8e7b |
+ if (entityLoader == NULL) {
|
|
|
dd8e7b |
+ entityLoader = xmlSecDefaultExternalEntityLoader;
|
|
|
dd8e7b |
+ }
|
|
|
dd8e7b |
+ xmlSetExternalEntityLoader(entityLoader);
|
|
|
dd8e7b |
+}
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
+/**
|
|
|
dd8e7b |
* xmlSecInit:
|
|
|
dd8e7b |
*
|
|
|
dd8e7b |
* Initializes XML Security Library. The depended libraries
|
|
|
dd8e7b |
@@ -85,6 +135,12 @@
|
|
|
dd8e7b |
}
|
|
|
dd8e7b |
#endif /* XMLSEC_NO_XKMS */
|
|
|
dd8e7b |
|
|
|
dd8e7b |
+ /* initialise safe external entity loader */
|
|
|
dd8e7b |
+ if (!xmlSecDefaultExternalEntityLoader) {
|
|
|
dd8e7b |
+ xmlSecDefaultExternalEntityLoader = xmlGetExternalEntityLoader();
|
|
|
dd8e7b |
+ }
|
|
|
dd8e7b |
+ xmlSetExternalEntityLoader(xmlSecNoXxeExternalEntityLoader);
|
|
|
dd8e7b |
+
|
|
|
dd8e7b |
/* we use rand() function to generate id attributes */
|
|
|
dd8e7b |
srand(time(NULL));
|
|
|
dd8e7b |
return(0);
|
|
|
dd8e7b |
@@ -182,4 +238,3 @@
|
|
|
dd8e7b |
return(1);
|
|
|
dd8e7b |
}
|
|
|
dd8e7b |
|
|
|
dd8e7b |
-
|