XML external entity processing - allow list (instance security hardening)
Use the glide.xml.entity.whitelist property to enable access to a listing of comma-delimited FQDN, if needed. These URLs are the only ones that can be reached using XML Entity processing.
Prerequisites
Before setting this property, set the glide.xml.entity.whitelist.enabled property, which enables the validation of an external entity, and only allows processing of the inclusion list you specify in the glide.xml.entity.whitelist property. To learn more, see XMLdoc/XMLUtil entity validation with whitelisting.
More information
| Attribute | Description |
|---|---|
| Property name | glide.xml.entity.whitelist |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To create an inclusion list of URLs that XML Entity processing can access. |
| Recommended value | User Specified (for example, https://google.com) |
| Functional Impact | External entity processing might be blocked if not mentioned in the inclusion list. When the inclusion list is enabled, it requires the PUBLIC form of an external entity definition. |
| Security risk | (High) An attacker can use the DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks using the server's trust relationship with other entities |
To learn more about adding or creating a system property, see Add a system property.