-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External entities can cause officedissector to freeze #13
Comments
Thanks for the write-up @dputtick. I like the second and third options. We should initially disable parsing of external entities in lxml (or maybe make it configurable). I like the idea of listing external entities as they are encountered, but if implementing it would require a ton of work then it may not be worthwhile right now. If you get a chance, could you try disabling parsing external entities and see how officedissector handles the included tests? |
@naegelejd Sorry I'm late to replying! I wrote a small POC for that change last month, and it passed all of the existing tests. I know that external entities are valid xml, but I'm not sure if a valid office document would ever have them. |
I'm fine with disallowing external entities in OfficeDissector. If you want to share your POC as a pull request I'd be happy to merge it. Thanks for testing! |
Hi there - currently, officedissector is vulnerable to a specific type of denial of service using external entitites. For example, an office document containing an external entity linking to /dev/random will wait for /dev/random to return a character, causing officedissector to hang without returning an error or timing out. Some possible solutions:
Any thoughts? I would be interested in helping with the patch, but wanted to get your opinion first.
The text was updated successfully, but these errors were encountered: