Merge pull request #317 from plone/maurits/cmfplone-issue-3209-lxml

Modeleditor: do not resolve entities, to avoid xml vulnerabilities
plone · Nov 16, 2020 · 69b9c31 · 69b9c31
2 parents d22ccee + b11b514
commit 69b9c31
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/news/3209.bugfix b/news/3209.bugfix
@@ -0,0 +1,2 @@
+For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
+[maurits]
diff --git a/plone/app/dexterity/browser/modeleditor.py b/plone/app/dexterity/browser/modeleditor.py
@@ -42,8 +42,12 @@ def __call__(self):
         source = self.request.form.get('source')
         if source:
             # Is it valid XML?
+            # Some safety measures.
+            # We do not want to load entities, especially file:/// entities.
+            # Also discard processing instructions.
+            parser = etree.XMLParser(resolve_entities=False, remove_pis=True)
             try:
-                root = etree.fromstring(source)
+                root = etree.fromstring(source, parser=parser)
             except etree.XMLSyntaxError as e:
                 return json.dumps({
                     'success': False,
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
		[maurits]