For increased security, in the modeleditor do not resolve entities, a…

…nd remove processing instructions. See plone/Products.CMFPlone#3209
plone · Nov 16, 2020 · b11b514 · b11b514
1 parent d22ccee
commit b11b514
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/news/3209.bugfix b/news/3209.bugfix
@@ -0,0 +1,2 @@
+For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
+[maurits]
diff --git a/plone/app/dexterity/browser/modeleditor.py b/plone/app/dexterity/browser/modeleditor.py
@@ -42,8 +42,12 @@ def __call__(self):
         source = self.request.form.get('source')
         if source:
             # Is it valid XML?
+            # Some safety measures.
+            # We do not want to load entities, especially file:/// entities.
+            # Also discard processing instructions.
+            parser = etree.XMLParser(resolve_entities=False, remove_pis=True)
             try:
-                root = etree.fromstring(source)
+                root = etree.fromstring(source, parser=parser)
             except etree.XMLSyntaxError as e:
                 return json.dumps({
                     'success': False,
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
		[maurits]