Opened 12 years ago
Closed 12 years ago
#967 closed defect (fixed)
Security: GN vulnerable to XML bombs
| Reported by: | heikki | Owned by: | heikki |
|---|---|---|---|
| Priority: | major | Milestone: | v2.8.0 RC1 |
| Component: | General | Version: | v2.6.4 |
| Keywords: | security, xml bomb, DTD | Cc: |
Description
Michael Östling reports:
Geonetwork has a security missconfiguration problem caused by the same reason as mentioned before: DTD directives are allowed in XML documents loaded by the user. This makes possible to perform a kind of access attack calls “XML bomb”. A XML bomb makes use of the way that a XML processor manages entities in the XML document. In the process of replacing entities with the strings that they refer XML parser needs to hold these strings in memory. An attacker can make use of this behaviour to vreate entities that use a lot of memory and then refer them, which leads to memory leak in the system that XML parser is running.. Avoid DTD-directives in the incoming XML document. References: http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
The fix, which only works if you're running JDK 1.6, is to set FEATURE_SECURE_PROCESSING to true when creating SAXBuilder.
This sets a maximum number of DTD Entity expansions, and if the DTD exceeds the limit an exception is thrown. If this limit proves too restrictive it is possible to increase it using the System Property on the Java command line such as -DentityExpansionLimit=500000 (but it's difficult to imagine this would ever be necessary).
We do not disallow DTDs altogether as some metadata formats may use DTD.
Change History (1)
comment:1 by , 12 years ago
| Milestone: | v2.6.5 → v2.8.0 RC1 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Committed to master and 2.8.x : 6957a6200f9cc9894cc2f2642579cacc02f8b463 Backported to 2.6.x. : 7096569361b9e04857d7b4a5f0d6dfd3e494752c