[PR #2807] Harden XML parsing against XXE #2804

New issue

Open

opened 2026-03-04 02:07:22 +03:00 by kerem · 0 comments

kerem commented 2026-03-04 02:07:22 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/2807
Author: @CarstenGrohmann
Created: 2/23/2026
Status: 🔄 Open

Base: master ← Head: add_xml_entity_restrictions

---

📝 Commits (2)

• 1cc7e66 Raise minimum libxml2 version from 2.6 to 2.9
• 5c2cd2f Harden XML parser against XXE attacks

📊 Changes

6 files changed (+20 additions, -13 deletions)

View changed files

📝 COMPILATION.md (+2 -2)
📝 configure.ac (+8 -8)
📝 src/mpu_util.cpp (+1 -1)
📝 src/s3fs.cpp (+1 -1)
📝 src/s3fs_xml.cpp (+1 -1)
📝 src/s3fs_xml.h (+7 -0)

📄 Description

All three xmlReadMemory() calls pass options = 0. S3 responses never use DTDs or entities, so the parser should reflect that.

This PR:

• raises the minimum libxml2 from 2.6 to 2.9 (released 2012, all CI targets already have >= 2.9.7)
• sets XML_PARSE_NO_XXE on libxml2 >= 2.13 and XML_PARSE_NONET on 2.6–2.14 for defense in depth

Closes #2805

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/2807 **Author:** [@CarstenGrohmann](https://github.com/CarstenGrohmann) **Created:** 2/23/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `add_xml_entity_restrictions` --- ### 📝 Commits (2) - [`1cc7e66`](https://github.com/s3fs-fuse/s3fs-fuse/commit/1cc7e66a0294ce7b0b1c2ffecd756545a0ef17e0) Raise minimum libxml2 version from 2.6 to 2.9 - [`5c2cd2f`](https://github.com/s3fs-fuse/s3fs-fuse/commit/5c2cd2faa89a6ba564e3c9a022a8c7e0a8496df2) Harden XML parser against XXE attacks ### 📊 Changes **6 files changed** (+20 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `COMPILATION.md` (+2 -2) 📝 `configure.ac` (+8 -8) 📝 `src/mpu_util.cpp` (+1 -1) 📝 `src/s3fs.cpp` (+1 -1) 📝 `src/s3fs_xml.cpp` (+1 -1) 📝 `src/s3fs_xml.h` (+7 -0) </details> ### 📄 Description All three `xmlReadMemory()` calls pass `options = 0`. S3 responses never use DTDs or entities, so the parser should reflect that. This PR: - raises the minimum libxml2 from 2.6 to 2.9 (released 2012, all CI targets already have >= 2.9.7) - sets `XML_PARSE_NO_XXE` on libxml2 >= 2.13 and `XML_PARSE_NONET` on 2.6–2.14 for defense in depth Closes #2805 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-03-04 02:07:22 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.97

v1.96

v1.95

v1.94

v1.93

v1.92

v1.91

v1.90

v1.89

v1.88

v1.87

v1.86

v1.85

v1.84

v1.83

v1.82

v1.81

v1.80

v1.79

v1.78

Pre-v1.78

v1.77

v1.76

v1.75

v1.74

Labels

Clear labels   

bug

  

bug

  

dataloss

  

duplicate

  

enhancement

  

feature request

  

help wanted

  

invalid

  

need info

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

testing

No labels

bug

bug

dataloss

duplicate

enhancement

feature request

help wanted

invalid

need info

performance

pull-request

question

question

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/s3fs-fuse#2804

No description provided.