Thanks, Gunther, for the response.
@Nico: In invite you to join the ongoing discussion on sane/safe defaults for the fn:doc and fn:parse-xml functions in the qtspecs repository [1]. User feedback is always appreciated.
Best, Christian
[1] https://github.com/qt4cg/qtspecs/issues/2034
________________________________ Von: Gunther Rademacher via BaseX-Talk basex-talk@mailman.uni-konstanz.de Gesendet: Donnerstag, Juli 3, 2025 7:28:14 PM An: nverwer@rakensi.com nverwer@rakensi.com; basex-talk@mailman.uni-konstanz.de basex-talk@mailman.uni-konstanz.de Betreff: [basex-talk] Re: Security problem in 11.9?
Hi Nico,
I’ve pasted my reply from May 3 below, in case it was missed. From my perspective, that should address the issue - please let me know if you see it differently.
Best regards, Gunther
Gesendet: Samstag, 3. Mai 2025 um 01:19 Von: "Gunther Rademacher" grd@gmx.net An: nverwer@rakensi.com, basex-talk@mailman.uni-konstanz.de
Betreff: Re: [basex-talk] Security problem in 11.9?
Hi Nico,
what you describe is the expected behaviour. Please be aware of the recent changes of fn:doc (and also fn:parse-xml) that were made in 11.9.
These functions now support options to control the access of external entities, in particular
- allow-external-entities: whether external entities are permitted (true) or rejected (false), default true - dtd: whether external entities are processed (true) or ignored (false), default true.In fact option dtd is not completely new, but previously its value was taken from the context option DTD, which defaults to false. So with 11.8, you could produce the same directory listing, that you experienced with 11.9, by running this on the document that you provided:
basex -ODTD=yes "doc('doc.xml')"Now the options can be supplied per function call, they are independent of the context options, and the defaults are different. To restore the result that you were used to with 11.9, you need to run:
basex "doc('doc.xml', { 'dtd': false() })"You can now also run this in order to reject any external entity references:
basex "doc('doc.xml', { 'allow-external-entities': false() })"The changes were made to implement the XQuery 4.0 specification of these functions:
https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-doc https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-parse-xmlThis is also described here:
https://docs.basex.org/12/Standard_Functions#fn:doc https://docs.basex.org/12/Standard_Functions#fn:parse-xmlBest regards, Gunther