in reply to Best XML library to validate XML from untrusted source

From XML::Simple:

The use of this module in new code is discouraged. Other modules are available which provide more straightforward and consistent interfaces. In particular, XML::LibXML is highly recommended.

The major problems with this module are the large number of options and the arbitrary ways in which these options interact - often with unexpected results.

Patches with bug fixes and documentation fixes are welcome, but new features are unlikely to be added.

Essentially, the author has declared it broken by design. My understanding that the general advice these days is to use XML::Twig or XML::LibXML. And am not sure how vulnerable they are to untrusted sources.

I'm aware that this is a bit off point, and you specifically didn't want to recraft the code to use a new API, but....

#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

  • Comment on Re: Best XML library to validate XML from untrusted source

Replies are listed 'Best First'.
Re^2: Best XML library to validate XML from untrusted source
by vsespb (Chaplain) on Oct 19, 2014 at 15:23 UTC
    Ok, Tested XML::LibXML - it is vulnerable.
[reply]

      I think you're supposed to disable external requests using various constructor parameters (as in XML::LibXML::Parser.pod.

      I presume that ext_ent_handler with your own callback to handle external entities would be enough, but I would still use or no_network to be on the safe(r) side.

[reply]
[d/l]
[select]
        Ok, this indeed works. And the POD page contains security related info. Thanks!
[reply]
Re^2: Best XML library to validate XML from untrusted source
by vsespb (Chaplain) on Oct 19, 2014 at 15:30 UTC
    Tested XML::Twig - seems vulnerable as well.
[reply]

In Section Seekers of Perl Wisdom