65704 – The class XmlUtil.java have XXE security issue

Bug 65704 - The class XmlUtil.java have XXE security issue

Summary: The class XmlUtil.java have XXE security issue

Status:	RESOLVED INVALID

Alias:	None

Product:	Taglibs
Classification:	Unclassified
Component:	Unknown Taglib (show other bugs)
Version:	1.2.5
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-25 09:04 UTC by powercomtlmt
Modified:	2021-11-25 09:27 UTC (History)
CC List:	0 users

Attachments
source code (17.01 KB, text/x-csrc) 2021-11-25 09:04 UTC, powercomtlmt	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description powercomtlmt 2021-11-25 09:04:59 UTC

Created attachment 38102 [details]
source code

At the line 88, XML parser configured 'tf' does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.Using XML parsers configured to not prevent nor limit external entities resolution can expose the parser to an XML External Entities attack. For example as below:

 tf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

i think taglibs can add the above content first and parse the xml on next step, it will be better. Thanks

Comment 1 Mark Thomas 2021-11-25 09:27:14 UTC

1. Security reports should not be posted to public bug trackers or mailing lists. The correct way to report security issues is described here:
http://tomcat.apache.org/security.html

2. The parser is not exposed to untrusted user input. It is not exploitable.