XXE – iOS secure coding
libxml2
iOS includes the C/C++ libxml2 library described in C/C++ secure coding examples, so that guidance applies if you are using libxml2 directly. However, the version of libxml2 provided up through iOS6 is prior to version 2.9 of libxml2 (which protects against XXE by default).
NSXMLDocument
iOS also provides an NSXMLDocument type, which is built on top of libxml2. However, NSXMLDocument provides some additional protections against XXE that aren’t available in libxml2 directly:
iOS4 and earlier: All external entities are loaded by default.
iOS5 and later: Only entities that don’t require network access are loaded. (which is safer)
However, to completely disable XXE in an NSXMLDocument in any version of iOS you simply specify NSXMLNodeLoadExternalEntitiesNever
when creating the NSXMLDocument.
references:
http://developer.apple.com/library/ios/#releasenotes/Foundation/RN-Foundation-iOS/Foundation_iOS5.html
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#iOS
Leave a Reply
Want to join the discussion?Feel free to contribute!