Global configuration against XML external entity (XXE) injection

Hi,

I was reading the following topic :
https://lucee.daemonite.io/t/configuration-to-prevent-xxe/11029

and to protect your app against XXE attacks (XML external entity injection), you need to insert the following code in the application.cfc file

this.xmlFeatures = {
   externalGeneralEntities: false,
   secure: true,
   disallowDoctypeDecl: true
};

I was wondering if there is another way to configure these features? Can we do it globally for a Lucee server by editing a configuration file or in the properties of Lucee - Java - Java Options?

I understand it’s best to do this in the application.cfc file in case the app changes servers, but I’d like to do it globally too, in case a developer on the team forgets to do it in the application.cfc file for a particular website.

Finally, have you considered these settings to be the default for the next major version of Lucee?

Thank you!

OS: Windows Server 2016 (10.0) 64bit
Java Version: 1.8.0_181 (Oracle Corporation) 64bit
Tomcat Version: Apache Tomcat/8.5.33
Lucee Version: Lucee 5.3.8.206

That has been discussed, but someone would need to confirm if it has been done. I pushed for it to become the default a while ago due to the risk, but the concern of backwards compatibility was too great.

No (unless such a feature was added recently), which is quite limiting, especially when you don’t have easy control of third party code like the Lucee administrator or you forget about a subfolder with its own application. The reason given when I last asked about this was that the fix was rushed due to being a security concern and only the minimal effort was taken when implementing the settings.

1 Like

Thank you for your answer Brad!

It’s going to be on default in 6

3 Likes