In the section above, notice that dtd_section_config/template.xml
contains a reference to "http://www.xmlmind.com/dtd/section.dtd
" and xsd_section_config/template.xml
contains a reference to "http://www.xmlmind.com/xsd/section.xsd
". Well, these files do not exist! Anyway, as explained in "XML Entity and URI Resolvers", even a real reference to a schema file would have ended up posing interchange problems.
Nevertheless, thanks to the XML catalogs found in the configuration directories, XXE has no problem loading the local copy of section.dtd
and the local copy of section.xsd
.
File dtd_section_config/catalog.xml
(configuration based on DTD):
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog" prefer="public"> <public publicId="-//XMLmind//DTD Simple Section//EN" uri="section.dtd"/> </catalog>
The above catalog associates the public DTD ID "-//XMLmind//DTD Simple Section//EN
" referenced in a document instance to local copy section.dtd
(local because its URI is relative to catalog.xml
).
File xsd_section_config/catalog.xml
(configuration based on XML Schema):
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"> <uri name="http://www.xmlmind.com/xsd/section.xsd" uri="section.xsd"/> </catalog>
The above catalog associates the absolute URI "http://www.xmlmind.com/xsd/section.xsd
" referenced in a document instance to local copy section.xsd
(local because its URI is relative to catalog.xml
).
Note that, in the case of the configuration based on RELAX NG, because a document instance never directly references its schema, there is no need for an XML catalog.
For XXE to discover and load an XML catalog, the file containing it must have a name ending with string "catalog.xml
". Examples: catalog.xml
, mycatalog.xml
, foo_catalog.xml
.