Blob Blame History Raw
From f02004601780c9281a192293f963854e8ecf1179 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 12 Aug 2019 15:25:40 +0200
Subject: [PATCH] loader: Don't expand entities when parsing XML
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The XML_PARSE_NOENT flag to libxml will cause it to expand all entities
in the input XML document when parsing. Doing this is bad practice if the
XML input file comes from an untrusted source, because it can cause the
XML parser to load arbitrary files that are readable by the user running
XML parsing.

This is basically the same fix as 47233d0b9dc (from osinfo-db-tools)

Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
---
 osinfo/osinfo_loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/osinfo/osinfo_loader.c b/osinfo/osinfo_loader.c
index 51bd8ac..833a7e5 100644
--- a/osinfo/osinfo_loader.c
+++ b/osinfo/osinfo_loader.c
@@ -1844,7 +1844,7 @@ static void osinfo_loader_process_xml(OsinfoLoader *loader,
     pctxt->sax->error = catchXMLError;
 
     xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, src, NULL,
-                         XML_PARSE_NOENT | XML_PARSE_NONET |
+                         XML_PARSE_NONET |
                          XML_PARSE_NOWARNING);
     if (!xml)
         goto cleanup;
-- 
2.21.0