diff options
Diffstat (limited to 'patches/7(2.5.4).diff')
| -rw-r--r-- | patches/7(2.5.4).diff | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/patches/7(2.5.4).diff b/patches/7(2.5.4).diff new file mode 100644 index 0000000..d630ee3 --- /dev/null +++ b/patches/7(2.5.4).diff @@ -0,0 +1,110 @@ +diff --git a/CHANGELOG.md b/CHANGELOG.md +index 468ec101293b462c8eddaddf375d0de9e8d68fcd..9d9aadc6e8a0162d8944622f783a6301fefd6cfa 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + + ### Removed + ++## 2.5.54 ++ ++## Security ++- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem ++ + ## 2.5.3 + + ### Security +diff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security +new file mode 100644 +index 0000000000000000000000000000000000000000..5e6725e5bb5ad6a7140beb8245676a1fa0408086 +--- /dev/null ++++ b/changelog.d/akkoma-xml-remote-entities.security +@@ -0,0 +1 @@ ++Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem +diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex +index b699446b007b07ec9e7e5f057ba6532d405a77cd..380a80ab83afe367b08a9770cac110440c6f4ccf 100644 +--- a/lib/pleroma/web/xml.ex ++++ b/lib/pleroma/web/xml.ex +@@ -29,7 +29,10 @@ def parse_document(text) do + {doc, _rest} = + text + |> :binary.bin_to_list() +- |> :xmerl_scan.string(quiet: true) ++ |> :xmerl_scan.string( ++ quiet: true, ++ fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end ++ ) + + {:ok, doc} + rescue +diff --git a/mix.exs b/mix.exs +index d1cdb151dd25545b31f777e8c3b57e42db673357..12f721364dd75744651e5044936d195684d8cf08 100644 +--- a/mix.exs ++++ b/mix.exs +@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do + def project do + [ + app: :pleroma, +- version: version("2.5.3"), ++ version: version("2.5.4"), + elixir: "~> 1.11", + elixirc_paths: elixirc_paths(Mix.env()), + compilers: [:phoenix, :gettext] ++ Mix.compilers(), +diff --git a/test/fixtures/xml_external_entities.xml b/test/fixtures/xml_external_entities.xml +new file mode 100644 +index 0000000000000000000000000000000000000000..d5ff87134734bd072f57e41ff7662638c0cc22c8 +--- /dev/null ++++ b/test/fixtures/xml_external_entities.xml +@@ -0,0 +1,3 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> ++<stockCheck><productId>&xxe;</productId></stockCheck> +diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs +index fafef54fe7040df234ee0931787a024481f6f053..be5e08776becca8ade9710f76f41a7678a2fb7c8 100644 +--- a/test/pleroma/web/web_finger_test.exs ++++ b/test/pleroma/web/web_finger_test.exs +@@ -180,5 +180,28 @@ test "respects xml content-type" do + + {:ok, _data} = WebFinger.finger("pekorino@pawoo.net") + end ++ ++ test "refuses to process XML remote entities" do ++ Tesla.Mock.mock(fn ++ %{ ++ url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net" ++ } -> ++ {:ok, ++ %Tesla.Env{ ++ status: 200, ++ body: File.read!("test/fixtures/xml_external_entities.xml"), ++ headers: [{"content-type", "application/xrd+xml"}] ++ }} ++ ++ %{url: "https://pawoo.net/.well-known/host-meta"} -> ++ {:ok, ++ %Tesla.Env{ ++ status: 200, ++ body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta") ++ }} ++ end) ++ ++ assert :error = WebFinger.finger("pekorino@pawoo.net") ++ end + end + end +diff --git a/test/pleroma/web/xml_test.exs b/test/pleroma/web/xml_test.exs +new file mode 100644 +index 0000000000000000000000000000000000000000..89d4709b6e7938cbc5c7d604ac2c479707d6ab5c +--- /dev/null ++++ b/test/pleroma/web/xml_test.exs +@@ -0,0 +1,10 @@ ++defmodule Pleroma.Web.XMLTest do ++ use Pleroma.DataCase, async: true ++ ++ alias Pleroma.Web.XML ++ ++ test "refuses to load external entities from XML" do ++ data = File.read!("test/fixtures/xml_external_entities.xml") ++ assert(:error == XML.parse_document(data)) ++ end ++end |