mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Import / Export: Remove Unsafe XML Handling Options.

Browse source 
Remove the options to expand entities and so continue when encountering invalid /
malformed XML, as both of these can be exploited by supplying
maliciously crafted XML.

Signed-off-by: Michael Keller <mikeller@042.ch>
This commit is contained in:
Michael Keller 2024-03-14 11:47:05 +13:00 committed by bstoeger
parent 92c3837f6e
commit 6aca76c342
3 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
core/save-xml.cpp
View file

@ -879,7 +879,7 @@ static int export_dives_xslt_doit(const char *filename, struct xml_params *param
* transform it to selected export format, finally dumping
* the XML into a character buffer.
*/
doc = xmlReadMemory(buf.buffer, buf.len, "divelog", NULL, XML_PARSE_HUGE | XML_PARSE_RECOVER);
doc = xmlReadMemory(buf.buffer, buf.len, "divelog", NULL, XML_PARSE_HUGE);
if (!doc)
return report_error("Failed to read XML memory");