1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
Description: Update documentation for XML::Twig.
Mention problems with expand_external_ents and add
information about new no_xxe argument.
.
Additionally add tests for both expand_external_ents and no_xxe.
Origin: vendor
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
Bug-Debian: https://bugs.debian.org/842893
Author: gregor herrmann <gregoa@debian.org>
Last-Update: 2019-03-30
--- a/Twig_pm.slow
+++ b/Twig_pm.slow
@@ -10454,6 +10454,15 @@
pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
cases.
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
+To completelty turn off expanding external entities use C<no_xxe>.
+
+=item no_xxe
+
+If this argument is set to a true value, expanding of external entities is
+turned off.
+
=item load_DTD
If this argument is set to a true value, C<parse> or C<parsefile> on the twig
--- /dev/null
+++ b/t/CVE-2016-9180.t
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Test::More;
+use Test::Exception;
+
+BEGIN { use_ok('XML::Twig'); }
+
+my $twig = XML::Twig->new( expand_external_ents => 1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+my $result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
+
+TODO: {
+ local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
+
+$twig = XML::Twig->new( expand_external_ents => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+ 'external entity not expanded (expand_external_ents 0)' );
+
+$twig = XML::Twig->new( expand_external_ents => -1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+ 'external entity not expanded and no fail (expand_external_ents -1)' );
+
+}
+
+$twig = XML::Twig->new( no_xxe => 1 );
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
+ 'external entity not expanded (no_xxe 1)';
+
+$twig = XML::Twig->new( no_xxe => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
+
+done_testing();
--- /dev/null
+++ b/t/CVE-2016-9180.txt
@@ -0,0 +1 @@
+Boom
--- /dev/null
+++ b/t/CVE-2016-9180.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+ <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
+]>
+<root>&xxe;</root>
|
