Description: Update documentation for XML::Twig. Mention problems with expand_external_ents and add information about new no_xxe argument. . Additionally add tests for both expand_external_ents and no_xxe. Origin: vendor Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097 Bug-Debian: https://bugs.debian.org/842893 Author: gregor herrmann Last-Update: 2019-03-30 --- a/Twig_pm.slow +++ b/Twig_pm.slow @@ -10454,6 +10454,15 @@ pubid => }). Yes, this is a bit of a hack, but it's useful in some cases. +B: setting expand_external_ents to 0 or -1 currently doesn't work +as expected; cf. L. +To completely turn off expanding external entities use C. + +=item no_xxe + +If this argument is set to a true value, expanding of external entities is +turned off. + =item load_DTD If this argument is set to a true value, C or C on the twig --- /dev/null +++ b/t/CVE-2016-9180.t @@ -0,0 +1,41 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; +use Test::Exception; + +BEGIN { use_ok('XML::Twig'); } + +my $twig = XML::Twig->new( expand_external_ents => 1 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +my $result = $twig->sprint; +like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' ); + +TODO: { + local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097'; + +$twig = XML::Twig->new( expand_external_ents => 0 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +$result = $twig->sprint; +unlike( $result, qr/Boom/, + 'external entity not expanded (expand_external_ents 0)' ); + +$twig = XML::Twig->new( expand_external_ents => -1 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +$result = $twig->sprint; +unlike( $result, qr/Boom/, + 'external entity not expanded and no fail (expand_external_ents -1)' ); + +} + +$twig = XML::Twig->new( no_xxe => 1 ); +throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/, + 'external entity not expanded (no_xxe 1)'; + +$twig = XML::Twig->new( no_xxe => 0 ); +$twig->parsefile('t/CVE-2016-9180.xml'); +$result = $twig->sprint; +like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' ); + +done_testing(); --- /dev/null +++ b/t/CVE-2016-9180.txt @@ -0,0 +1 @@ +Boom --- /dev/null +++ b/t/CVE-2016-9180.xml @@ -0,0 +1,5 @@ + + +]> +&xxe;