Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue in Parsing XML using NSXMLDocument #169

Closed
prathaps opened this issue Apr 21, 2012 · 3 comments
Closed

Security Issue in Parsing XML using NSXMLDocument #169

prathaps opened this issue Apr 21, 2012 · 3 comments

Comments

@prathaps
Copy link

Hi Guys,

There is a security issue in the way Sparkle parses the xml. In the SUAppCast.m, in the:

  • (void)downloadDidFinish:(NSURLDownload *)aDownload {
    ....

document = [[[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:downloadFilename] options:0 error:&error] autorelease];
...
}

If the xml file being parsed contains a reference to an external entity, that entity would be parsed. For instance take this simple xml file:

]>

Tove
Jani
Reminder

Don't forget me this weekend!+&someEntity;

notice that someEntity is an external entity pointing to some file on disc. This file could be dangerous. In this case it is simply a text file. But the above code that parses the xml document would subsititute the contents of the file when parsing the element.

Please see details of this security risk in:

http://www.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0

Instead if you use:

document = [[[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:downloadFilename] options: options:NSXMLDocumentTidyXML error:&error] autorelease];

Notice the use of 'options:NSXMLDocumentTidyXML' instead of 'options:0', what you get after parsing is:

ToveJaniReminderDon't forget me this weekend!+&someEntity;

That is the external entity name has be quoted and hasn't been resolved.

My questions are:

  1. Are you going to address this in your next patch? If so, when will it be released?

  2. If not, can you please provide a way to make this change in the sparkle 1.5 without having to recompile sparkle? That is can we override some class in the application that is linking with sparkle framework to enable this secure xml parsing?

Thanks,

Prathap
@andymatuschak
Copy link
Contributor

I am told that one should not use NSXMLDocumentTidyXML to ensure that these entities are stripped (it's essentially just luck that they are stripped out by the tidier), but that NSXMLParser will take care of this situation reliably. I will try to make time in the next few weeks to rewrite the appcast parsing implementation on top of NSXMLParser, but if it gets much closer to WWDC, I'll be underwater.

@prathaps
Copy link
Author

Andy,

Thank you for your reply. It would be awesome if you can use NSXMLParser to patch the security hole. Please let me know when this is available. I will get back in touch with you in a few weeks!

Prathap

@andymatuschak
Copy link
Contributor

Using NSXMLParser would have been more work than I could spare time for in the near future, but I think that's okay: while we are mostly just getting lucky that NSXMLDocumentTidyXML happens to strip out these entities, and that would not be a future-proof approach, there's a new NSXMLDocument option for 10.7+ (NSXMLNodeLoadExternalEntitiesSameOriginOnly) which we can use going forward. Old OS versions that happened to behave in the way we want will continue to behave that way.

iloveitaly added a commit to iloveitaly/Sparkle that referenced this issue Aug 5, 2012
@iloveitaly
Merge branch 'andymatuschak/master'
ee6fece 
* andymatuschak/master: (170 commits)
  Adding Thai localizations to the project.
  Add Thai localization
  Update to the Brazilian Portuguese localization from Victor Figueriedo
  Removed Japanese localization of password prompt from the Xcode project
  Allow the user to try reentering his password if authentication fails.
  Removing Japanese localization of the password prompt, since I changed the design
  Delegated password prompting to the update driver.
  Use NSFileManager interface for DMG unarchive only for 10.7+. On 10.6,  [NSFileManager copyItemAtPath:toPath:error:] can fail with "Argument list too long" if the app bundle contains too many files. The switch to NSFileManager was only required for 10.7 anyway, 10.6 always worked fine.
  Removed changes to the project.pbxproj that were unrelated to the password prompt
  Redesigned password prompt UI
  Removed methods from SUPasswordPrompt.h that didn't need to be exposed there
  Fixes sparkle-project#44: maximumSystemVersion key
  remove the ASW tags since we're submitting this as a pull request to andy
  Updating Danish localization courtesy Daniel Østergaard Nielsen
  support for encrypted disk images
  Fixes sparkle-project#175: Bug: update alert text collides with automatic download checkbox
  Fixes sparkle-project#174: Bug: sparkle:shortVersionString ignored for non-enclosure items
  Fixes sparkle-project#170: An environment variable set by Sparkle
  Fixing some new Clang warnings from Xcode 4.4
  Fixes sparkle-project#169: Security Issue in Parsing XML using NSXMLDocument
  ...

Conflicts:
	SUUIBasedUpdateDriver.m
@reedloden reedloden mentioned this issue Jan 31, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andymatuschak @prathaps