I have added support for the ACF syntax for passing xmlFeatures directives into isXml()
and xmlParse()
All to make life easier since we locked down Lucee to be secure by default
We have proposed for a while to enable this protection by default for 6.0, which was widely agreed to.
After some internal discussions, we decided to also make this the default for 5.4, as security shouldn’t be opt in, Lucee should be secure by default.
These changes have been implemented in
5.4.2.10-SNAPSHOT
6.0.0.514-SNAPSHOT
There will be a 5.4.2 RC and Stable release in the coming weeks
What’s a XXE you ask?
https://foundeo.com/security/guide/xml-external-entities/
A little example…
If you need these overrides for other functions, just use xmlParse()
and pass the result into xmlSearch()
etc
Added to 5.4.2.20-SNAPSHOT and 6.0.0.523-SNAPSHOT, still on 5.3? it’s time to upgrade
Examples in the test cases
component extends = "org.lucee.cfml.test.LuceeTestCase" labels="xml" {
function beforeAll(){
variables.doctypeXml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd">
<hibernate-mapping></hibernate-mapping>';
variables.entityXml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://update.lucee.org/rest/update/provider/echoGet/cgi" >
]>
<foo>&xxe;</foo>'; // that url 404s
application action="update" xmlFeatures={
"secure": true,
"disallowDoctypeDecl": true,
"externalGeneralEntities": false
};
}
This file has been truncated. show original
https://luceeserver.atlassian.net/browse/LDEV-3110
just bumping this up, these per use overrides are available in 5.4.3.2
TryCF is now running 5.4.3.2, however, support for overriding xmlFeatures
has been disabled via lucee.xmlfeatures.override.disable=true
so isXml()
will still return false, xmlParse with throw an error
<cfscript>
//trycf has lucee.xmlfeatures.override.disable=true set
str= '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd">
<hibernate-mapping></hibernate-mapping>';
dump(isXml(str)); // only returns boolean
dump(isXml(str, {
"secure": true,
"disallowDoctypeDecl": true,
"externalGeneralEntities": false
})); // xmlfeatures override ignored
flush;
try {
dump( xmlParse( str, false, {
"secure": true,
"disallowDoctypeDecl": true,
"externalGeneralEntities": false
})); // xmlfeatures override ignored
} catch(e){
echo(e);
}
</cfscript>
2 Likes