Anyone want to tackle OPML security?
16 views
Skip to first unread message
Edward K. Ream
May 21, 2026, 7:59:26 AM (2 days ago) May 21
to leo-editor
#4684 reports some possible security issues with Leo's leoOPML.py plugin.
In fact, however, "external entity expansion" (whatever that means!) has always been off. A line that appears to turn such expansion on is immediately followed by a line that turns expansion off!
PR #4697 (merged into devel) does nothing but remove that redundancy.
#4684 makes other recommendations. They all sound like Greek to me:
- Reject `DOCTYPE` declarations and external entities in imported OPML.
- Consider using hardened XML parsing helpers such as defusedxml.
- Keep the importer fail-closed when unsafe XML features are encountered.
Does anyone use the leoOPML plugin? If not, the issue is moot.
Does anyone want to have a go at the remaining recommendations?
Edward
Thomas Passin
May 21, 2026, 9:19:06 AM (2 days ago) May 21
to leo-editor
An external entity is an external file that gets imported into the XML file (OPML is an XML format). They (meaning the URL they come from) are declared in the optional DOCTYPE declaration of the XML file. If you don't use the DTD then they won' get imported.
I don't see this as much of a security risk. The Issue says "... can cause sensitive local file contents to be read and copied into the outline". Yes, the outline could end up with unintended content from a local file. But what then? It's still only in a local file. If an attacker could get that file somehow, then he could have gotten the "sensitive local file" anyway - if he knew its file path beforehand.
defusedxml handles the case where one of those external entities expands the XML file by huge factors, in fact, by an exponential explosion. This can tie up all the computer's memory in seconds. One of these attack types has the name "billion laughs". Apparently defusedXML inspects the DTD for these kinds of entities. But if the DTD is disallowed then there can be no problem.
I don't think an OPML has any need for a DTD, so not processing one should be plenty good enough.
I don't think an OPML has any need for a DTD, so not processing one should be plenty good enough.
Edward K. Ream
May 21, 2026, 9:33:40 AM (2 days ago) May 21
to leo-editor
On Thursday, May 21, 2026 at 6:59:26 AM UTC-5 Edward K. Ream wrote:
#4684 reports some possible security issues with Leo's leoOPML.py plugin.In fact, however, "external entity expansion" (whatever that means!) has always been off. A line that appears to turn such expansion on is immediately followed by a line that turns expansion off!
Oops: The two lines concern two separate features. Happily, the OP confirms that deleting the line resolves the issue.
Afaik, no further work is needed.
Edward
Reply all
Reply to author
Forward
0 new messages