]> git.koha-community.org Git - koha.git/commit
Bug 23290: XSLT system preferences allow administrators to exploit XML and XSLT vulne...
authorDavid Cook <dcook@prosentient.com.au>
Thu, 23 May 2019 06:53:57 +0000 (16:53 +1000)
committerMartin Renvoize <martin.renvoize@ptfs-europe.com>
Tue, 25 Feb 2020 13:40:48 +0000 (13:40 +0000)
commit322fbf151b0e5bd0f2e68a6d7e8157d1aa12910d
tree214d6ec408bc2388390d68851c3240eb90232ce8
parent884ab0d98e54d3a9f5229e2d21fd234dddf298b0
Bug 23290: XSLT system preferences allow administrators to exploit XML and XSLT vulnerabilities

The problem is that administrators can provide XSLTs that
can read from the server and network and write to the server. The

This patch prevents the Koha::XSLT_Handler from running
XSLT stylesheets that call actions such as read_file, write_file,
read_net, and write_net as documented at
https://metacpan.org/pod/XML::LibXSLT#XML::LibXSLT::Security

(Previous tests suggested issues with XML external entities
causing read file like vulnerabilities but these were not
reproducible)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Koha/XSLT_Handler.pm