Merge branch 'releases/2.5.4' into 'stable'
Release 2.5.4 See merge request pleroma/pleroma!3929
This commit is contained in:
commit
1f4be2b349
7 changed files with 47 additions and 2 deletions
|
@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
## 2.5.54
|
||||||
|
|
||||||
|
## Security
|
||||||
|
- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
|
||||||
|
|
||||||
## 2.5.3
|
## 2.5.3
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
1
changelog.d/akkoma-xml-remote-entities.security
Normal file
1
changelog.d/akkoma-xml-remote-entities.security
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
|
|
@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
|
||||||
{doc, _rest} =
|
{doc, _rest} =
|
||||||
text
|
text
|
||||||
|> :binary.bin_to_list()
|
|> :binary.bin_to_list()
|
||||||
|> :xmerl_scan.string(quiet: true)
|
|> :xmerl_scan.string(
|
||||||
|
quiet: true,
|
||||||
|
fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
|
||||||
|
)
|
||||||
|
|
||||||
{:ok, doc}
|
{:ok, doc}
|
||||||
rescue
|
rescue
|
||||||
|
|
2
mix.exs
2
mix.exs
|
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
|
||||||
def project do
|
def project do
|
||||||
[
|
[
|
||||||
app: :pleroma,
|
app: :pleroma,
|
||||||
version: version("2.5.3"),
|
version: version("2.5.4"),
|
||||||
elixir: "~> 1.11",
|
elixir: "~> 1.11",
|
||||||
elixirc_paths: elixirc_paths(Mix.env()),
|
elixirc_paths: elixirc_paths(Mix.env()),
|
||||||
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
|
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
|
||||||
|
|
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
|
||||||
|
<stockCheck><productId>&xxe;</productId></stockCheck>
|
|
@ -180,5 +180,28 @@ defmodule Pleroma.Web.WebFingerTest do
|
||||||
|
|
||||||
{:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
|
{:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "refuses to process XML remote entities" do
|
||||||
|
Tesla.Mock.mock(fn
|
||||||
|
%{
|
||||||
|
url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
|
||||||
|
} ->
|
||||||
|
{:ok,
|
||||||
|
%Tesla.Env{
|
||||||
|
status: 200,
|
||||||
|
body: File.read!("test/fixtures/xml_external_entities.xml"),
|
||||||
|
headers: [{"content-type", "application/xrd+xml"}]
|
||||||
|
}}
|
||||||
|
|
||||||
|
%{url: "https://pawoo.net/.well-known/host-meta"} ->
|
||||||
|
{:ok,
|
||||||
|
%Tesla.Env{
|
||||||
|
status: 200,
|
||||||
|
body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
|
||||||
|
}}
|
||||||
|
end)
|
||||||
|
|
||||||
|
assert :error = WebFinger.finger("pekorino@pawoo.net")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
10
test/pleroma/web/xml_test.exs
Normal file
10
test/pleroma/web/xml_test.exs
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
defmodule Pleroma.Web.XMLTest do
|
||||||
|
use Pleroma.DataCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Web.XML
|
||||||
|
|
||||||
|
test "refuses to load external entities from XML" do
|
||||||
|
data = File.read!("test/fixtures/xml_external_entities.xml")
|
||||||
|
assert(:error == XML.parse_document(data))
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue