WP import xml entities & security considerations

Created on 17 March 2023, almost 2 years ago

Problem/Motivation

Reminded by malicious imports from a wordpress site that got spammed in an attack in its body field. That ended up imported to Drupal!

Basically it would be nice if some security scan to catch obvious bad stuff in the XML files, could save people from problems sneaking in. It could also help determine if php-xml is exposed to entity attacks locally, which admins would probably be wise to think of before dumping tons of XML into their site which is potentially contaminated from drive by users.

1. It seems possible that malicious XML could be fed into the module files.

2. Separate issue could be embedded scripts particularly in comments as well. this would be embedded inside XML so may as well mention here.

Proposed resolution

1. test what happens with malicious XMLs embedded into a test import. a test import with malicious xml could be be created for testing.

2. a . option to lint the comments entries for script tags, css tags, eval statements? base64 encode statements? etc.

More info

✨ Feature request
Status

Active

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States hongpong Philadelphia

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024