You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 lines
1.3 KiB
37 lines
1.3 KiB
From f02004601780c9281a192293f963854e8ecf1179 Mon Sep 17 00:00:00 2001 |
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com> |
|
Date: Mon, 12 Aug 2019 15:25:40 +0200 |
|
Subject: [PATCH] loader: Don't expand entities when parsing XML |
|
MIME-Version: 1.0 |
|
Content-Type: text/plain; charset=UTF-8 |
|
Content-Transfer-Encoding: 8bit |
|
|
|
The XML_PARSE_NOENT flag to libxml will cause it to expand all entities |
|
in the input XML document when parsing. Doing this is bad practice if the |
|
XML input file comes from an untrusted source, because it can cause the |
|
XML parser to load arbitrary files that are readable by the user running |
|
XML parsing. |
|
|
|
This is basically the same fix as 47233d0b9dc (from osinfo-db-tools) |
|
|
|
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com> |
|
--- |
|
osinfo/osinfo_loader.c | 2 +- |
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
diff --git a/osinfo/osinfo_loader.c b/osinfo/osinfo_loader.c |
|
index 51bd8ac..833a7e5 100644 |
|
--- a/osinfo/osinfo_loader.c |
|
+++ b/osinfo/osinfo_loader.c |
|
@@ -1844,7 +1844,7 @@ static void osinfo_loader_process_xml(OsinfoLoader *loader, |
|
pctxt->sax->error = catchXMLError; |
|
|
|
xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, src, NULL, |
|
- XML_PARSE_NOENT | XML_PARSE_NONET | |
|
+ XML_PARSE_NONET | |
|
XML_PARSE_NOWARNING); |
|
if (!xml) |
|
goto cleanup; |
|
-- |
|
2.21.0 |
|
|
|
|