Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

Disable XML entities by default against XXE in Lucee 6.0 & 5.4

Description

Lucee should be secure by default

to override for a specific use case with trusted xml, you can do the following

application action="update" xmlFeatures={
	"externalGeneralEntities": true,
	"secure": false,
	"disallowDoctypeDecl": false
};

xml = xmlParse( trustedXml );

application action="update" xmlFeatures={
	"externalGeneralEntities": false,
	"secure": true,
	"disallowDoctypeDecl": true
};

Linked issues

relates to

Expose XML Parser Configuration to prevent XXE

Rename this.xmlFeatures to this.xmlSettings for consistency in application.cfc

add xmlFeatures to getApplicationSettings

xmlParse() fails on doctyped XML after running isXML()

Activity

Show:

Pothys - MitrahSoft 28 July 2023 at 11:17

I checked this ticket with lucee latest version 6.0.0.523-SNAPSHOT and 5.4.2.20-SNAPSHOT. Now XML entities are successfully disabled by default.

Zac Spitzer 19 July 2023 at 09:02

https://github.com/lucee/Lucee/commit/b9186a8dd52f67d6fe0c00ca382a390d26ee98c2

Zac Spitzer 19 July 2023 at 07:53

PR for pass thru https://github.com/lucee/Lucee/pull/2183

Zac Spitzer 18 July 2023 at 20:59

Still need to add back in the passthru of other directives

Zac Spitzer 18 July 2023 at 16:39

We have decided that to also backport this to 5.4

Fixed

Details
Assignee
Pothys - MitrahSoft
Reporter
Zac Spitzer
Labels
Lucee6breaking-changesecurityxml
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
None
Fix versions
6.0.0.516
5.4.2.11
5.3.11.2
5.3.9.172
5.3.8.236
5.4.2.17
5.3.11.5
6.0.0.519
Priority
Major
Parent
LDEV-4654 Secure XML by default

Created 13 April 2021 at 19:06

Updated 28 July 2023 at 11:17

Resolved 28 July 2023 at 11:17