|
 |
b5bae8 |
From f02004601780c9281a192293f963854e8ecf1179 Mon Sep 17 00:00:00 2001
|
|
|
b5bae8 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
b5bae8 |
Date: Mon, 12 Aug 2019 15:25:40 +0200
|
|
|
b5bae8 |
Subject: [PATCH] loader: Don't expand entities when parsing XML
|
|
|
b5bae8 |
MIME-Version: 1.0
|
|
|
b5bae8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b5bae8 |
Content-Transfer-Encoding: 8bit
|
|
|
b5bae8 |
|
|
|
b5bae8 |
The XML_PARSE_NOENT flag to libxml will cause it to expand all entities
|
|
|
b5bae8 |
in the input XML document when parsing. Doing this is bad practice if the
|
|
|
b5bae8 |
XML input file comes from an untrusted source, because it can cause the
|
|
|
b5bae8 |
XML parser to load arbitrary files that are readable by the user running
|
|
|
b5bae8 |
XML parsing.
|
|
|
b5bae8 |
|
|
|
b5bae8 |
This is basically the same fix as 47233d0b9dc (from osinfo-db-tools)
|
|
|
b5bae8 |
|
|
|
b5bae8 |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
b5bae8 |
---
|
|
|
b5bae8 |
osinfo/osinfo_loader.c | 2 +-
|
|
|
b5bae8 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
b5bae8 |
|
|
|
b5bae8 |
diff --git a/osinfo/osinfo_loader.c b/osinfo/osinfo_loader.c
|
|
|
b5bae8 |
index 51bd8ac..833a7e5 100644
|
|
|
b5bae8 |
--- a/osinfo/osinfo_loader.c
|
|
|
b5bae8 |
+++ b/osinfo/osinfo_loader.c
|
|
|
b5bae8 |
@@ -1844,7 +1844,7 @@ static void osinfo_loader_process_xml(OsinfoLoader *loader,
|
|
|
b5bae8 |
pctxt->sax->error = catchXMLError;
|
|
|
b5bae8 |
|
|
|
b5bae8 |
xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, src, NULL,
|
|
|
b5bae8 |
- XML_PARSE_NOENT | XML_PARSE_NONET |
|
|
|
b5bae8 |
+ XML_PARSE_NONET |
|
|
|
b5bae8 |
XML_PARSE_NOWARNING);
|
|
|
b5bae8 |
if (!xml)
|
|
|
b5bae8 |
goto cleanup;
|
|
|
b5bae8 |
--
|
|
|
b5bae8 |
2.21.0
|
|
|
b5bae8 |
|