| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 24 Jul 2025 18:02:26 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"41f47f7e7bd38520a93477b577336bd5"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=5hdBh%2BfzHZclyW5eDATYRDtCYbkE0hEHgv59cyhzRY04WTKB8vtBzByvg0uY3CKyGzjiweai62xHjAIRJ91CqdPP8tIX%2Fta0sLIc%2FwoJceuzhDFA%2FcCq%2B3NtDA63X7Yok7a%2Bgia6X7oPqZY3JEdcfHiD5L%2FBPM9YuOQPqoStiEt6SnvhO9oregBw0Q6uX%2B5ykxvFL%2FQFAd9f6MWjzyIMsBv4mzRE%2FEt1bIzwugXU%2BBoWoLbYxAZRb1MeKYTgXjwNLoKczjd3m%2BmyvVKuA243eQ%3D%3D--FElx%2B7EUUp4lMaoW--JVnLu77ts7KZXaCP74yXoA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.402142305.1753380146; Path=/; Domain=github.com; Expires=Fri, 24 Jul 2026 18:02:26 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 24 Jul 2026 18:02:26 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: DDD8:223761:E08F7:10B9B2:68827532
File inclusion irregularities · Advisory · ietf-tools/xml2rfc · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 54
You can’t perform that action at this time.
Version 3.12.0 changed
xml2rfcso that it would not access local files without the presence of its new--allow-local-file-accessflag.This prevented XML External Entity (XXE) injection attacks with
xincludeand XML entity references.It was discovered that
xml2rfcdoes not respect--allow-local-file-accesswhen a local file is specified assrcinartworkorsourcecodeelements. Furthermore, XML entity references can include any file inside the source dir and below without using the--allow-local-file-accessflag.The
xml2rfc <= 3.26.0behaviour:xincludeartwork src=sourcecode src=--allow-local-file-accessflag--allow-local-file-accessflagImpact
Anyone running
xml2rfcas a service that accepts input from external users is impacted by this issue.Specifying a file in
srcattribute inartworkorsourcecodeelements will cause the contents of that file to appear in xml2rfc’s output results.But that file has to be inside the same directory as the XML input source file.
For
artworkandsourcecode,xml2rfcwill not look above the source file directory.The proposed new behaviour
templates_dirfor XML entity includes.New behaviour:
xincludeartwork src=sourcecode src=--allow-local-file-accessflagtemplates_dir)--allow-local-file-accessflagtemplates_dir).Workarounds
Use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.
Footnotes
Access any file of the filesystem with the permissions of the user running
xml2rfccan access. ↩ ↩2