Blob Blame History Raw
diff -uPr xmlsec1-1.2.20/apps/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c
--- xmlsec1-1.2.20/apps/xmlsec.c	2017-08-09 12:45:45.246669522 -0400
+++ xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c	2017-07-18 12:21:59.554749331 -0400
@@ -528,6 +528,19 @@
     NULL
 };    
 
+static xmlSecAppCmdLineParam xxeParam = { 
+    xmlSecAppCmdLineTopicAll,
+    "--xxe",
+    NULL,   
+    "--xxe"
+    "\n\tenable External Entity resolution."
+    "\n\tWARNING: this may allow the reading of arbitrary files and URLs,"
+    "\n\tcontrolled by the input XML document.  Use with caution!",
+    xmlSecAppCmdLineParamTypeFlag,
+    xmlSecAppCmdLineParamFlagNone,
+    NULL
+};    
+
 
 /****************************************************************
  *
@@ -904,6 +917,7 @@
     &disableErrorMsgsParam,
     &printCryptoErrorMsgsParam,
     &helpParam,
+    &xxeParam,
         
     /* MUST be the last one */
     NULL
@@ -1087,6 +1101,11 @@
         goto fail;
     }
     
+    /* enable XXE? */
+    if(xmlSecAppCmdLineParamIsSet(&xxeParam)) {
+        xmlSecSetExternalEntityLoader( NULL );     // reset to libxml2's default handler
+    }
+
     /* get the "repeats" number */
     if(xmlSecAppCmdLineParamIsSet(&repeatParam) && 
        (xmlSecAppCmdLineParamGetInt(&repeatParam, 1) > 0)) {
diff -uPr xmlsec1-1.2.20/include/xmlsec/xmlsec.h xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h
--- xmlsec1-1.2.20/include/xmlsec/xmlsec.h	2014-05-27 14:29:01.000000000 -0400
+++ xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h	2017-07-18 12:21:59.555749324 -0400
@@ -89,6 +89,7 @@
 
 XMLSEC_EXPORT int       xmlSecInit              (void);
 XMLSEC_EXPORT int       xmlSecShutdown          (void);
+XMLSEC_EXPORT void      xmlSecSetExternalEntityLoader (xmlExternalEntityLoader);
 
 
 
diff -uPr xmlsec1-1.2.20/src/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c
--- xmlsec1-1.2.20/src/xmlsec.c	2014-05-27 14:29:01.000000000 -0400
+++ xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c	2017-08-09 12:44:03.386416274 -0400
@@ -25,6 +25,56 @@
 #include <xmlsec/errors.h>
 
 /**
+ * Custom external entity handler, denies all files except the initial
+ * document we're parsing (input_id == 1)
+ */
+/* default external entity loader, pointer saved during xmlInit */
+static xmlExternalEntityLoader
+xmlSecDefaultExternalEntityLoader = NULL;
+
+/*
+ * xmlSecNoXxeExternalEntityLoader:
+ * @URL:        the URL for the entity to load
+ * @ID:         public ID for the entity to load
+ * @ctxt:       XML parser context, or NULL
+ *
+ * See libxml2's xmlLoadExternalEntity and xmlNoNetExternalEntityLoader.
+ * This function prevents any external (file or network) entities from being loaded.
+ */
+static xmlParserInputPtr
+xmlSecNoXxeExternalEntityLoader(const char *URL, const char *ID,
+                          xmlParserCtxtPtr ctxt) {
+    if (ctxt == NULL) {
+        return(NULL);
+    }
+    if (ctxt->input_id == 1) {
+        return xmlSecDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
+    }
+    xmlSecError(XMLSEC_ERRORS_HERE,
+                NULL,
+                "xmlSecNoXxeExternalEntityLoader",
+                XMLSEC_ERRORS_R_XML_FAILED,
+                "illegal external entity='%s'", xmlSecErrorsSafeString(URL));
+    return(NULL);
+}
+
+/*
+ * xmlSecSetExternalEntityLoader:
+ * @entityLoader:       the new entity resolver function, or NULL to restore 
+ *                      libxml2's default handler
+ *
+ * Wrapper for xmlSetExternalEntityLoader.
+ */
+void
+xmlSecSetExternalEntityLoader(xmlExternalEntityLoader entityLoader) {
+    if (entityLoader == NULL) {
+        entityLoader = xmlSecDefaultExternalEntityLoader;
+    }
+    xmlSetExternalEntityLoader(entityLoader);
+}
+
+
+/**
  * xmlSecInit:
  *
  * Initializes XML Security Library. The depended libraries
@@ -85,6 +135,12 @@
     }
 #endif /* XMLSEC_NO_XKMS */
 
+    /* initialise safe external entity loader */
+    if (!xmlSecDefaultExternalEntityLoader) {
+        xmlSecDefaultExternalEntityLoader = xmlGetExternalEntityLoader();
+    }
+    xmlSetExternalEntityLoader(xmlSecNoXxeExternalEntityLoader);
+
     /* we use rand() function to generate id attributes */
     srand(time(NULL));
     return(0);
@@ -182,4 +238,3 @@
     return(1);
 }
 
-