You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.5 KiB
38 lines
1.5 KiB
5 years ago
|
From 518ac5029578b07471ed2aa15f6c924073075ddf Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||
|
|
Date: Mon, 12 Aug 2019 15:28:07 +0200
|
||
|
|
Subject: [PATCH] install-script: Don't expand entities when parsing XML
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
The XML_PARSE_NOENT flag to libxml will cause it to expand all entities
|
||
|
|
in the input XML document when parsing. Doing this is bad practice if the
|
||
|
|
XML input file comes from an untrusted source, because it can cause the
|
||
|
|
XML parser to load arbitrary files that are readable by the user running
|
||
|
|
XML parsing.
|
||
|
|
|
||
|
|
This is basically the same fix as 47233d0b9dc (from osinfo-db-tools)
|
||
|
|
|
||
|
|
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
||
|
|
---
|
||
|
|
osinfo/osinfo_install_script.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/osinfo/osinfo_install_script.c b/osinfo/osinfo_install_script.c
|
||
|
|
index 906fb83..5cd00a0 100644
|
||
|
|
--- a/osinfo/osinfo_install_script.c
|
||
|
|
+++ b/osinfo/osinfo_install_script.c
|
||
|
|
@@ -725,7 +725,7 @@ static xsltStylesheetPtr osinfo_install_script_load_template(const gchar *uri,
|
||
|
|
}
|
||
|
|
|
||
|
|
if (!(doc = xmlCtxtReadDoc(pctxt, BAD_CAST template, uri, NULL,
|
||
|
|
- XML_PARSE_NOENT | XML_PARSE_NONET |
|
||
|
|
+ XML_PARSE_NONET |
|
||
|
|
XML_PARSE_NOWARNING))) {
|
||
|
|
g_set_error_literal(error, OSINFO_ERROR, 0,
|
||
|
|
_("Unable to read XSL template"));
|
||
|
|
--
|
||
|
|
2.21.0
|
||
|
|
|