Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag.
This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references.
It was discovered that xml2rfc does not respect --allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access flag.
The xml2rfc <= 3.26.0 behaviour:
|
xinclude |
XML entity reference |
artwork src= |
sourcecode src= |
without --allow-local-file-access flag |
No filesystem access |
Any file in xml2rfc templates dir and below, any file in source directory and below |
Access source directory and below |
Access source directory and below |
with --allow-local-file-access flag |
Access any file on filesystem1 |
Access any file on filesystem1 |
Access source directory and below |
Access source directory and below |
Impact
Anyone running xml2rfc as a service that accepts input from external users is impacted by this issue.
Specifying a file in src attribute in artwork or sourcecode elements will cause the contents of that file to appear in xml2rfc’s output results.
But that file has to be inside the same directory as the XML input source file.
For artwork and sourcecode, xml2rfc will not look above the source file directory.
The proposed new behaviour
- Generalize file access checks.
- Only allow access to files within src dir and below. (xml entity include can access templates dir).
- Always allow access to
templates_dir for XML entity includes.
New behaviour:
|
xinclude |
XML entity reference |
artwork src= |
sourcecode src= |
without --allow-local-file-access flag |
No filesystem access |
No filesystem access (except for templates_dir) |
No filesystem access |
No filesystem access |
with --allow-local-file-access flag |
Access source directory and below |
Access source directory and below (Can accesstemplates_dir). |
Access source directory and below |
Access source directory and below |
Workarounds
Use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.
Version 3.12.0 changed
xml2rfcso that it would not access local files without the presence of its new--allow-local-file-accessflag.This prevented XML External Entity (XXE) injection attacks with
xincludeand XML entity references.It was discovered that
xml2rfcdoes not respect--allow-local-file-accesswhen a local file is specified assrcinartworkorsourcecodeelements. Furthermore, XML entity references can include any file inside the source dir and below without using the--allow-local-file-accessflag.The
xml2rfc <= 3.26.0behaviour:xincludeartwork src=sourcecode src=--allow-local-file-accessflag--allow-local-file-accessflagImpact
Anyone running
xml2rfcas a service that accepts input from external users is impacted by this issue.Specifying a file in
srcattribute inartworkorsourcecodeelements will cause the contents of that file to appear in xml2rfc’s output results.But that file has to be inside the same directory as the XML input source file.
For
artworkandsourcecode,xml2rfcwill not look above the source file directory.The proposed new behaviour
templates_dirfor XML entity includes.New behaviour:
xincludeartwork src=sourcecode src=--allow-local-file-accessflagtemplates_dir)--allow-local-file-accessflagtemplates_dir).Workarounds
Use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.
Footnotes
Access any file of the filesystem with the permissions of the user running
xml2rfccan access. ↩ ↩2