mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Import / Export: Remove Unsafe XML Handling Options.

Browse source 
Remove the options to expand entities and so continue when encountering invalid /
malformed XML, as both of these can be exploited by supplying
maliciously crafted XML.

Signed-off-by: Michael Keller <mikeller@042.ch>
This commit is contained in:
Michael Keller 2024-03-14 11:47:05 +13:00 committed by bstoeger
parent 92c3837f6e
commit 6aca76c342
3 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
core/parse-xml.cpp
View file

@ -1765,9 +1765,9 @@ extern "C" int parse_xml_buffer(const char *url, const char *buffer, int, struct
state.log = log;
state.fingerprints = &fingerprint_table; // simply use the global table for now
doc = xmlReadMemory(res, strlen(res), url, NULL, XML_PARSE_HUGE | XML_PARSE_RECOVER);
doc = xmlReadMemory(res, strlen(res), url, NULL, XML_PARSE_HUGE);
if (!doc)
doc = xmlReadMemory(res, strlen(res), url, "latin1", XML_PARSE_HUGE | XML_PARSE_RECOVER);
doc = xmlReadMemory(res, strlen(res), url, "latin1", XML_PARSE_HUGE);
if (res != buffer)
free((char *)res);
@ -2346,7 +2346,6 @@ static xmlDoc *test_xslt_transforms(xmlDoc *doc, const struct xml_params *params
}
xmlFree(attribute);
}
xmlSubstituteEntitiesDefault(1);
xslt = get_stylesheet(info->file);
if (xslt == NULL) {
report_error(translate("gettextFromC", "Can't open stylesheet %s"), info->file);