mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Import / Export: Remove Unsafe XML Handling Options.

Browse source 
Remove the options to expand entities and so continue when encountering invalid /
malformed XML, as both of these can be exploited by supplying
maliciously crafted XML.

Signed-off-by: Michael Keller <mikeller@042.ch>
This commit is contained in:
Michael Keller 2024-03-14 11:47:05 +13:00 committed by bstoeger
parent 92c3837f6e
commit 6aca76c342
3 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
core/uploadDiveLogsDE.cpp
View file

@ -141,7 +141,7 @@ bool uploadDiveLogsDE::prepareDives(const QString &tempfile, bool selected)
* transform it to divelogs.de format, finally dumping
* the XML into a character buffer.
*/
xmlDoc *doc = xmlReadMemory(mb.buffer, mb.len, "divelog", NULL, XML_PARSE_HUGE | XML_PARSE_RECOVER);
xmlDoc *doc = xmlReadMemory(mb.buffer, mb.len, "divelog", NULL, XML_PARSE_HUGE);
if (!doc) {
qWarning() << errPrefix << "could not parse back into memory the XML file we've just created!";
report_error("%s", qPrintable(tr("internal error")));