Description: CVE-2013-1915: Vulnerable to XXE attacks This upstream patch has been backported to the Wheezy version. Author: Thomas Goirand Bug-Debian: http://bugs.debian.org/704625 Origin: upstream, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe Reviewed-By: Alberto Gonzalez Iniesta Last-Update: <2013-04-06> Index: libapache-mod-security-2.5.12/apache2/msc_xml.c =================================================================== --- libapache-mod-security-2.5.12.orig/apache2/msc_xml.c 2010-02-04 00:50:24.000000000 +0100 +++ libapache-mod-security-2.5.12/apache2/msc_xml.c 2013-04-06 17:43:41.693429800 +0200 @@ -18,17 +18,27 @@ */ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { + return NULL; +} /** * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; } Index: libapache-mod-security-2.5.12/apache2/apache2_config.c =================================================================== --- libapache-mod-security-2.5.12.orig/apache2/apache2_config.c 2010-02-05 19:26:43.000000000 +0100 +++ libapache-mod-security-2.5.12/apache2/apache2_config.c 2013-04-06 17:49:35.173514493 +0200 @@ -125,6 +125,9 @@ dcfg->request_encoding = NOT_SET_P; + /* xml external entity */ + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -483,6 +486,10 @@ merged->request_encoding = (child->request_encoding == NOT_SET_P ? parent->request_encoding : child->request_encoding); + /* xml external entity */ + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -573,6 +580,8 @@ if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL; + /* xml external entity */ + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; } /** @@ -1698,6 +1707,32 @@ } +/** +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +*/ +static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + /* PCRE Limits */ static const char *cmd_pcre_match_limit(cmd_parms *cmd, @@ -2057,6 +2092,14 @@ "component signature to add to ModSecurity signature." ), + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_FLAG ( "SecContentInjection", cmd_content_injection, Index: libapache-mod-security-2.5.12/apache2/modsecurity.h =================================================================== --- libapache-mod-security-2.5.12.orig/apache2/modsecurity.h 2010-02-05 19:15:31.000000000 +0100 +++ libapache-mod-security-2.5.12/apache2/modsecurity.h 2013-04-06 17:48:52.991465392 +0200 @@ -477,6 +477,9 @@ /* Request character encoding. */ const char *request_encoding; + + /* xml */ + int xml_external_entity; }; struct error_message {