XXE – C/C++ secure coding
libxml2
The Enum xmlParserOption should not have the following options defined:
XML_PARSE_NOENT // Expands entities and substitutes them with replacement text
XML_PARSE_DTDLOAD // Load the external DTD
Note: starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B
Leave a Reply
Want to join the discussion?Feel free to contribute!