XXE – C/C++ secure coding

/0 Comments/in /by
libxml2

The Enum xmlParserOption should not have the following options defined:

XML_PARSE_NOENT // Expands entities and substitutes them with replacement text
XML_PARSE_DTDLOAD // Load the external DTD

Note: starting with libxml2 version 2.9, XXE has been disabled by default as committed by the following patch: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f.

Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *