diff -uPr xmlsec1-1.2.20/apps/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c
--- xmlsec1-1.2.20/apps/xmlsec.c 2017-08-09 12:45:45.246669522 -0400
+++ xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c 2017-07-18 12:21:59.554749331 -0400
@@ -528,6 +528,19 @@
NULL
};
+static xmlSecAppCmdLineParam xxeParam = {
+ xmlSecAppCmdLineTopicAll,
+ "--xxe",
+ NULL,
+ "--xxe"
+ "\n\tenable External Entity resolution."
+ "\n\tWARNING: this may allow the reading of arbitrary files and URLs,"
+ "\n\tcontrolled by the input XML document. Use with caution!",
+ xmlSecAppCmdLineParamTypeFlag,
+ xmlSecAppCmdLineParamFlagNone,
+ NULL
+};
+
/****************************************************************
*
@@ -904,6 +917,7 @@
&disableErrorMsgsParam,
&printCryptoErrorMsgsParam,
&helpParam,
+ &xxeParam,
/* MUST be the last one */
NULL
@@ -1087,6 +1101,11 @@
goto fail;
}
+ /* enable XXE? */
+ if(xmlSecAppCmdLineParamIsSet(&xxeParam)) {
+ xmlSecSetExternalEntityLoader( NULL ); // reset to libxml2's default handler
+ }
+
/* get the "repeats" number */
if(xmlSecAppCmdLineParamIsSet(&repeatParam) &&
(xmlSecAppCmdLineParamGetInt(&repeatParam, 1) > 0)) {
diff -uPr xmlsec1-1.2.20/include/xmlsec/xmlsec.h xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h
--- xmlsec1-1.2.20/include/xmlsec/xmlsec.h 2014-05-27 14:29:01.000000000 -0400
+++ xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h 2017-07-18 12:21:59.555749324 -0400
@@ -89,6 +89,7 @@
XMLSEC_EXPORT int xmlSecInit (void);
XMLSEC_EXPORT int xmlSecShutdown (void);
+XMLSEC_EXPORT void xmlSecSetExternalEntityLoader (xmlExternalEntityLoader);
diff -uPr xmlsec1-1.2.20/src/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c
--- xmlsec1-1.2.20/src/xmlsec.c 2014-05-27 14:29:01.000000000 -0400
+++ xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c 2017-08-09 12:44:03.386416274 -0400
@@ -25,6 +25,56 @@
#include <xmlsec/errors.h>
/**
+ * Custom external entity handler, denies all files except the initial
+ * document we're parsing (input_id == 1)
+ */
+/* default external entity loader, pointer saved during xmlInit */
+static xmlExternalEntityLoader
+xmlSecDefaultExternalEntityLoader = NULL;
+
+/*
+ * xmlSecNoXxeExternalEntityLoader:
+ * @URL: the URL for the entity to load
+ * @ID: public ID for the entity to load
+ * @ctxt: XML parser context, or NULL
+ *
+ * See libxml2's xmlLoadExternalEntity and xmlNoNetExternalEntityLoader.
+ * This function prevents any external (file or network) entities from being loaded.
+ */
+static xmlParserInputPtr
+xmlSecNoXxeExternalEntityLoader(const char *URL, const char *ID,
+ xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL) {
+ return(NULL);
+ }
+ if (ctxt->input_id == 1) {
+ return xmlSecDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
+ }
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecNoXxeExternalEntityLoader",
+ XMLSEC_ERRORS_R_XML_FAILED,
+ "illegal external entity='%s'", xmlSecErrorsSafeString(URL));
+ return(NULL);
+}
+
+/*
+ * xmlSecSetExternalEntityLoader:
+ * @entityLoader: the new entity resolver function, or NULL to restore
+ * libxml2's default handler
+ *
+ * Wrapper for xmlSetExternalEntityLoader.
+ */
+void
+xmlSecSetExternalEntityLoader(xmlExternalEntityLoader entityLoader) {
+ if (entityLoader == NULL) {
+ entityLoader = xmlSecDefaultExternalEntityLoader;
+ }
+ xmlSetExternalEntityLoader(entityLoader);
+}
+
+
+/**
* xmlSecInit:
*
* Initializes XML Security Library. The depended libraries
@@ -85,6 +135,12 @@
}
#endif /* XMLSEC_NO_XKMS */
+ /* initialise safe external entity loader */
+ if (!xmlSecDefaultExternalEntityLoader) {
+ xmlSecDefaultExternalEntityLoader = xmlGetExternalEntityLoader();
+ }
+ xmlSetExternalEntityLoader(xmlSecNoXxeExternalEntityLoader);
+
/* we use rand() function to generate id attributes */
srand(time(NULL));
return(0);
@@ -182,4 +238,3 @@
return(1);
}
-