1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
Description: CVE-2013-1915: Vulnerable to XXE attacks
This upstream patch has been backported to the Wheezy version.
Author: Thomas Goirand <zigo@debian.org>
Bug-Debian: http://bugs.debian.org/704625
Origin: upstream, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Reviewed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Last-Update: <2013-04-06>
Index: libapache-mod-security-2.5.12/apache2/msc_xml.c
===================================================================
--- libapache-mod-security-2.5.12.orig/apache2/msc_xml.c 2010-02-04 00:50:24.000000000 +0100
+++ libapache-mod-security-2.5.12/apache2/msc_xml.c 2013-04-06 17:43:41.693429800 +0200
@@ -18,17 +18,27 @@
*/
#include "msc_xml.h"
+static xmlParserInputBufferPtr
+xml_unload_external_entity(const char *URI, xmlCharEncoding enc) {
+ return NULL;
+}
/**
* Initialise XML parser.
*/
int xml_init(modsec_rec *msr, char **error_msg) {
+ xmlParserInputBufferCreateFilenameFunc entity;
+
if (error_msg == NULL) return -1;
*error_msg = NULL;
msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
if (msr->xml == NULL) return -1;
+ if(msr->txcfg->xml_external_entity == 0) {
+ entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
+ }
+
return 1;
}
Index: libapache-mod-security-2.5.12/apache2/apache2_config.c
===================================================================
--- libapache-mod-security-2.5.12.orig/apache2/apache2_config.c 2010-02-05 19:26:43.000000000 +0100
+++ libapache-mod-security-2.5.12/apache2/apache2_config.c 2013-04-06 17:49:35.173514493 +0200
@@ -125,6 +125,9 @@
dcfg->request_encoding = NOT_SET_P;
+ /* xml external entity */
+ dcfg->xml_external_entity = NOT_SET;
+
return dcfg;
}
@@ -483,6 +486,10 @@
merged->request_encoding = (child->request_encoding == NOT_SET_P
? parent->request_encoding : child->request_encoding);
+ /* xml external entity */
+ merged->xml_external_entity = (child->xml_external_entity == NOT_SET
+ ? parent->xml_external_entity : child->xml_external_entity);
+
return merged;
}
@@ -573,6 +580,8 @@
if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL;
+ /* xml external entity */
+ if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
}
/**
@@ -1698,6 +1707,32 @@
}
+/**
+* \brief Add SecXmlExternalEntity configuration option
+*
+* \param cmd Pointer to configuration data
+* \param _dcfg Pointer to directory configuration
+* \param p1 Pointer to configuration option
+*
+* \retval NULL On failure
+* \retval apr_psprintf On Success
+*/
+static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+ directory_config *dcfg = (directory_config *)_dcfg;
+ if (dcfg == NULL) return NULL;
+
+ if (strcasecmp(p1, "on") == 0) {
+ dcfg->xml_external_entity = 1;
+ }
+ else if (strcasecmp(p1, "off") == 0) {
+ dcfg->xml_external_entity = 0;
+ }
+ else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
+
+ return NULL;
+}
+
/* PCRE Limits */
static const char *cmd_pcre_match_limit(cmd_parms *cmd,
@@ -2057,6 +2092,14 @@
"component signature to add to ModSecurity signature."
),
+ AP_INIT_TAKE1 (
+ "SecXmlExternalEntity",
+ cmd_xml_external_entity,
+ NULL,
+ CMD_SCOPE_ANY,
+ "On or Off"
+ ),
+
AP_INIT_FLAG (
"SecContentInjection",
cmd_content_injection,
Index: libapache-mod-security-2.5.12/apache2/modsecurity.h
===================================================================
--- libapache-mod-security-2.5.12.orig/apache2/modsecurity.h 2010-02-05 19:15:31.000000000 +0100
+++ libapache-mod-security-2.5.12/apache2/modsecurity.h 2013-04-06 17:48:52.991465392 +0200
@@ -477,6 +477,9 @@
/* Request character encoding. */
const char *request_encoding;
+
+ /* xml */
+ int xml_external_entity;
};
struct error_message {
|
