diff options
Diffstat (limited to 'patches/7(2.5.4).diff')
| -rwxr-xr-x | patches/7(2.5.4).diff | 110 |
1 files changed, 0 insertions, 110 deletions
diff --git a/patches/7(2.5.4).diff b/patches/7(2.5.4).diff deleted file mode 100755 index d630ee3..0000000 --- a/patches/7(2.5.4).diff +++ /dev/null @@ -1,110 +0,0 @@ -diff --git a/CHANGELOG.md b/CHANGELOG.md -index 468ec101293b462c8eddaddf375d0de9e8d68fcd..9d9aadc6e8a0162d8944622f783a6301fefd6cfa 100644 ---- a/CHANGELOG.md -+++ b/CHANGELOG.md -@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - - ### Removed - -+## 2.5.54 -+ -+## Security -+- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem -+ - ## 2.5.3 - - ### Security -diff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security -new file mode 100644 -index 0000000000000000000000000000000000000000..5e6725e5bb5ad6a7140beb8245676a1fa0408086 ---- /dev/null -+++ b/changelog.d/akkoma-xml-remote-entities.security -@@ -0,0 +1 @@ -+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem -diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex -index b699446b007b07ec9e7e5f057ba6532d405a77cd..380a80ab83afe367b08a9770cac110440c6f4ccf 100644 ---- a/lib/pleroma/web/xml.ex -+++ b/lib/pleroma/web/xml.ex -@@ -29,7 +29,10 @@ def parse_document(text) do - {doc, _rest} = - text - |> :binary.bin_to_list() -- |> :xmerl_scan.string(quiet: true) -+ |> :xmerl_scan.string( -+ quiet: true, -+ fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end -+ ) - - {:ok, doc} - rescue -diff --git a/mix.exs b/mix.exs -index d1cdb151dd25545b31f777e8c3b57e42db673357..12f721364dd75744651e5044936d195684d8cf08 100644 ---- a/mix.exs -+++ b/mix.exs -@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do - def project do - [ - app: :pleroma, -- version: version("2.5.3"), -+ version: version("2.5.4"), - elixir: "~> 1.11", - elixirc_paths: elixirc_paths(Mix.env()), - compilers: [:phoenix, :gettext] ++ Mix.compilers(), -diff --git a/test/fixtures/xml_external_entities.xml b/test/fixtures/xml_external_entities.xml -new file mode 100644 -index 0000000000000000000000000000000000000000..d5ff87134734bd072f57e41ff7662638c0cc22c8 ---- /dev/null -+++ b/test/fixtures/xml_external_entities.xml -@@ -0,0 +1,3 @@ -+<?xml version="1.0" encoding="UTF-8"?> -+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> -+<stockCheck><productId>&xxe;</productId></stockCheck> -diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs -index fafef54fe7040df234ee0931787a024481f6f053..be5e08776becca8ade9710f76f41a7678a2fb7c8 100644 ---- a/test/pleroma/web/web_finger_test.exs -+++ b/test/pleroma/web/web_finger_test.exs -@@ -180,5 +180,28 @@ test "respects xml content-type" do - - {:ok, _data} = WebFinger.finger("pekorino@pawoo.net") - end -+ -+ test "refuses to process XML remote entities" do -+ Tesla.Mock.mock(fn -+ %{ -+ url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net" -+ } -> -+ {:ok, -+ %Tesla.Env{ -+ status: 200, -+ body: File.read!("test/fixtures/xml_external_entities.xml"), -+ headers: [{"content-type", "application/xrd+xml"}] -+ }} -+ -+ %{url: "https://pawoo.net/.well-known/host-meta"} -> -+ {:ok, -+ %Tesla.Env{ -+ status: 200, -+ body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta") -+ }} -+ end) -+ -+ assert :error = WebFinger.finger("pekorino@pawoo.net") -+ end - end - end -diff --git a/test/pleroma/web/xml_test.exs b/test/pleroma/web/xml_test.exs -new file mode 100644 -index 0000000000000000000000000000000000000000..89d4709b6e7938cbc5c7d604ac2c479707d6ab5c ---- /dev/null -+++ b/test/pleroma/web/xml_test.exs -@@ -0,0 +1,10 @@ -+defmodule Pleroma.Web.XMLTest do -+ use Pleroma.DataCase, async: true -+ -+ alias Pleroma.Web.XML -+ -+ test "refuses to load external entities from XML" do -+ data = File.read!("test/fixtures/xml_external_entities.xml") -+ assert(:error == XML.parse_document(data)) -+ end -+end |