You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

38 lines
1.3 KiB

From f02004601780c9281a192293f963854e8ecf1179 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 12 Aug 2019 15:25:40 +0200
Subject: [PATCH] loader: Don't expand entities when parsing XML
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The XML_PARSE_NOENT flag to libxml will cause it to expand all entities
in the input XML document when parsing. Doing this is bad practice if the
XML input file comes from an untrusted source, because it can cause the
XML parser to load arbitrary files that are readable by the user running
XML parsing.
This is basically the same fix as 47233d0b9dc (from osinfo-db-tools)
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
---
osinfo/osinfo_loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/osinfo/osinfo_loader.c b/osinfo/osinfo_loader.c
index 51bd8ac..833a7e5 100644
--- a/osinfo/osinfo_loader.c
+++ b/osinfo/osinfo_loader.c
@@ -1844,7 +1844,7 @@ static void osinfo_loader_process_xml(OsinfoLoader *loader,
pctxt->sax->error = catchXMLError;
xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, src, NULL,
- XML_PARSE_NOENT | XML_PARSE_NONET |
+ XML_PARSE_NONET |
XML_PARSE_NOWARNING);
if (!xml)
goto cleanup;
--
2.21.0