diff -uPr xmlsec1-1.2.20/apps/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c --- xmlsec1-1.2.20/apps/xmlsec.c 2017-08-09 12:45:45.246669522 -0400 +++ xmlsec1-1.2.20-CVE-2017-1000061/apps/xmlsec.c 2017-07-18 12:21:59.554749331 -0400 @@ -528,6 +528,19 @@ NULL }; +static xmlSecAppCmdLineParam xxeParam = { + xmlSecAppCmdLineTopicAll, + "--xxe", + NULL, + "--xxe" + "\n\tenable External Entity resolution." + "\n\tWARNING: this may allow the reading of arbitrary files and URLs," + "\n\tcontrolled by the input XML document. Use with caution!", + xmlSecAppCmdLineParamTypeFlag, + xmlSecAppCmdLineParamFlagNone, + NULL +}; + /**************************************************************** * @@ -904,6 +917,7 @@ &disableErrorMsgsParam, &printCryptoErrorMsgsParam, &helpParam, + &xxeParam, /* MUST be the last one */ NULL @@ -1087,6 +1101,11 @@ goto fail; } + /* enable XXE? */ + if(xmlSecAppCmdLineParamIsSet(&xxeParam)) { + xmlSecSetExternalEntityLoader( NULL ); // reset to libxml2's default handler + } + /* get the "repeats" number */ if(xmlSecAppCmdLineParamIsSet(&repeatParam) && (xmlSecAppCmdLineParamGetInt(&repeatParam, 1) > 0)) { diff -uPr xmlsec1-1.2.20/include/xmlsec/xmlsec.h xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h --- xmlsec1-1.2.20/include/xmlsec/xmlsec.h 2014-05-27 14:29:01.000000000 -0400 +++ xmlsec1-1.2.20-CVE-2017-1000061/include/xmlsec/xmlsec.h 2017-07-18 12:21:59.555749324 -0400 @@ -89,6 +89,7 @@ XMLSEC_EXPORT int xmlSecInit (void); XMLSEC_EXPORT int xmlSecShutdown (void); +XMLSEC_EXPORT void xmlSecSetExternalEntityLoader (xmlExternalEntityLoader); diff -uPr xmlsec1-1.2.20/src/xmlsec.c xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c --- xmlsec1-1.2.20/src/xmlsec.c 2014-05-27 14:29:01.000000000 -0400 +++ xmlsec1-1.2.20-CVE-2017-1000061/src/xmlsec.c 2017-08-09 12:44:03.386416274 -0400 @@ -25,6 +25,56 @@ #include /** + * Custom external entity handler, denies all files except the initial + * document we're parsing (input_id == 1) + */ +/* default external entity loader, pointer saved during xmlInit */ +static xmlExternalEntityLoader +xmlSecDefaultExternalEntityLoader = NULL; + +/* + * xmlSecNoXxeExternalEntityLoader: + * @URL: the URL for the entity to load + * @ID: public ID for the entity to load + * @ctxt: XML parser context, or NULL + * + * See libxml2's xmlLoadExternalEntity and xmlNoNetExternalEntityLoader. + * This function prevents any external (file or network) entities from being loaded. + */ +static xmlParserInputPtr +xmlSecNoXxeExternalEntityLoader(const char *URL, const char *ID, + xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) { + return(NULL); + } + if (ctxt->input_id == 1) { + return xmlSecDefaultExternalEntityLoader((const char *) URL, ID, ctxt); + } + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNoXxeExternalEntityLoader", + XMLSEC_ERRORS_R_XML_FAILED, + "illegal external entity='%s'", xmlSecErrorsSafeString(URL)); + return(NULL); +} + +/* + * xmlSecSetExternalEntityLoader: + * @entityLoader: the new entity resolver function, or NULL to restore + * libxml2's default handler + * + * Wrapper for xmlSetExternalEntityLoader. + */ +void +xmlSecSetExternalEntityLoader(xmlExternalEntityLoader entityLoader) { + if (entityLoader == NULL) { + entityLoader = xmlSecDefaultExternalEntityLoader; + } + xmlSetExternalEntityLoader(entityLoader); +} + + +/** * xmlSecInit: * * Initializes XML Security Library. The depended libraries @@ -85,6 +135,12 @@ } #endif /* XMLSEC_NO_XKMS */ + /* initialise safe external entity loader */ + if (!xmlSecDefaultExternalEntityLoader) { + xmlSecDefaultExternalEntityLoader = xmlGetExternalEntityLoader(); + } + xmlSetExternalEntityLoader(xmlSecNoXxeExternalEntityLoader); + /* we use rand() function to generate id attributes */ srand(time(NULL)); return(0); @@ -182,4 +238,3 @@ return(1); } -