]> git.kaiwu.me - njs.git/commit
projects / njs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b3f2731) | patch
XML: removed XML_PARSE_DTDVALID during a document parsing.
authorDmitry Volyntsev <xeioex@nginx.com>
Thu, 2 Mar 2023 05:38:09 +0000 (21:38 -0800)
committerDmitry Volyntsev <xeioex@nginx.com>
Thu, 2 Mar 2023 05:38:09 +0000 (21:38 -0800)
commitf0881774d5adb7c647b4e020f0bb765bdd431083
tree3b7224ca6229d9209083014edff71d6b6bf996a4tree | snapshot
parentb3f27310009156d88447781d776c9b5b9f70942fcommit | diff
XML: removed XML_PARSE_DTDVALID during a document parsing.

When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external
entities present inside an xml document.  This can lead to all the
classic XXE exploits, including SSRF and local file disclosure.

The issue was introduced in 99b9f83e4d4d (0.7.10).

Thanks to @BitK_.
external/njs_xml_module.c diff | blob | history
test/xml/external_entity_ignored.t.js [new file with mode: 0644] blob
njs upstream