Skip to content

Document that XMLParser is unsafe #5237

@nwellnhof

Description

@nwellnhof

XMLParser is based on libxml2, an open-source library developed by hobbyists about 25 years ago. This code has never been up to modern standards and contains multiple unfixed security issues concerning algorithmic complexity. It has always been trivial to mount DoS attacks, making libxml2 consume minutes or hours of CPU time when processing documents of a few megabytes or less in size. This means that XMLParser should never be used to process untrusted input.

I'm aware that Apple is unwilling to contribute to the OSS projects they incorporate in their operating systems. All I'm asking is that you update your documentation and be honest about defects in third-party code. Please make it clear that XMLParser should only be used with trusted input or in a sandbox.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions