From 518ac5029578b07471ed2aa15f6c924073075ddf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 12 Aug 2019 15:28:07 +0200
Subject: [PATCH] install-script: Don't expand entities when parsing XML
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The XML_PARSE_NOENT flag to libxml will cause it to expand all entities
in the input XML document when parsing. Doing this is bad practice if the
XML input file comes from an untrusted source, because it can cause the
XML parser to load arbitrary files that are readable by the user running
XML parsing.
This is basically the same fix as 47233d0b9dc (from osinfo-db-tools)
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
---
osinfo/osinfo_install_script.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/osinfo/osinfo_install_script.c b/osinfo/osinfo_install_script.c
index 906fb83..5cd00a0 100644
--- a/osinfo/osinfo_install_script.c
+++ b/osinfo/osinfo_install_script.c
@@ -725,7 +725,7 @@ static xsltStylesheetPtr osinfo_install_script_load_template(const gchar *uri,
}
if (!(doc = xmlCtxtReadDoc(pctxt, BAD_CAST template, uri, NULL,
- XML_PARSE_NOENT | XML_PARSE_NONET |
+ XML_PARSE_NONET |
XML_PARSE_NOWARNING))) {
g_set_error_literal(error, OSINFO_ERROR, 0,
_("Unable to read XSL template"));
--
2.21.0