Re: Best XML library to validate XML from untrusted source


Perl: the Markov chain saw
	PerlMonks

Re: Best XML library to validate XML from untrusted source

by kennethk (Abbot)

on Oct 19, 2014 at 15:11 UTC ( [id://1104306]=note: print w/replies, xml )

Need Help??

in reply to Best XML library to validate XML from untrusted source

From XML::Simple:

The use of this module in new code is discouraged. Other modules are available which provide more straightforward and consistent interfaces. In particular, XML::LibXML is highly recommended.
The major problems with this module are the large number of options and the arbitrary ways in which these options interact - often with unexpected results.
Patches with bug fixes and documentation fixes are welcome, but new features are unlikely to be added.

Essentially, the author has declared it broken by design. My understanding that the general advice these days is to use XML::Twig or XML::LibXML. And am not sure how vulnerable they are to untrusted sources.

I'm aware that this is a bit off point, and you specifically didn't want to recraft the code to use a new API, but....

#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

Comment on Re: Best XML library to validate XML from untrusted source

Replies are listed 'Best First'.
Re^2: Best XML library to validate XML from untrusted source by vsespb (Chaplain) on Oct 19, 2014 at 15:23 UTC
Ok, Tested XML::LibXML - it is vulnerable.	[reply]
Re^3: Best XML library to validate XML from untrusted source by Corion (Patriarch) on Oct 19, 2014 at 15:35 UTC
I think you're supposed to disable external requests using various constructor parameters (as in XML::LibXML::Parser.pod. I presume that `ext_ent_handler` with your own callback to handle external entities would be enough, but I would still use or `no_network` to be on the safe(r) side.	[reply] [d/l] [select]
Re^4: Best XML library to validate XML from untrusted source by vsespb (Chaplain) on Oct 19, 2014 at 15:45 UTC
Ok, this indeed works. And the POD page contains security related info. Thanks!	[reply]
Re^2: Best XML library to validate XML from untrusted source by vsespb (Chaplain) on Oct 19, 2014 at 15:30 UTC
Tested XML::Twig - seems vulnerable as well.	[reply]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://1104306]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others goofing around in the Monastery: (5)

As of 2024-04-24 08:23 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found