Harden XML parser against XXE attacks Set XML_PARSE_NO_XXE or XML_PARSE_NONET on all xmlReadMemory() calls to block external entity loading. S3 responses never use DTDs.
Recent Commits to s3fs-fuse:master
-
Harden XML parser against XXE attacks
-
Raise minimum libxml2 version from 2.6 to 2.9
Raise minimum libxml2 version from 2.6 to 2.9 libxml2 2.9.0 (Sep 2012) disabled loading of external parsed entities by default, which prevents XXE attacks when parsing S3 API responses with options=0. All CI targets already ship libxml2 >= 2.9.7