mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-24 13:33:01 +03:00 
			
		
		
		
	Don't read external entities or XIncludes from stdin
The file input callbacks try to read from stdin if "-" is passed as URL. This should never be done when loading indirect resources like external entities or XIncludes. Unfortunately, the stdin substitution happens deep inside the IO code, so we simply replace "-" with "./-" in specific locations. This issue also affects other users of the library like libxslt. Ideally, stdin should only be substituted on explicit request. But more intrusive changes could break existing code. Closes #90 and #102.
This commit is contained in:
		
							
								
								
									
										4
									
								
								parser.c
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								parser.c
									
									
									
									
									
								
							| @@ -14004,6 +14004,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, | |||||||
| 	ctxt->input_id = pctx->input_id + 1; | 	ctxt->input_id = pctx->input_id + 1; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     /* Don't read from stdin. */ | ||||||
|  |     if (xmlStrcmp(URL, BAD_CAST "-") == 0) | ||||||
|  |         URL = BAD_CAST "./-"; | ||||||
|  |  | ||||||
|     uri = xmlBuildURI(URL, base); |     uri = xmlBuildURI(URL, base); | ||||||
|  |  | ||||||
|     if (uri == NULL) { |     if (uri == NULL) { | ||||||
|   | |||||||
| @@ -449,6 +449,10 @@ xmlXIncludeParseFile(xmlXIncludeCtxtPtr ctxt, const char *URL) { | |||||||
|  |  | ||||||
|     xmlCtxtUseOptions(pctxt, ctxt->parseFlags | XML_PARSE_DTDLOAD); |     xmlCtxtUseOptions(pctxt, ctxt->parseFlags | XML_PARSE_DTDLOAD); | ||||||
|  |  | ||||||
|  |     /* Don't read from stdin. */ | ||||||
|  |     if ((URL != NULL) && (strcmp(URL, "-") == 0)) | ||||||
|  |         URL = "./-"; | ||||||
|  |  | ||||||
|     inputStream = xmlLoadExternalEntity(URL, NULL, pctxt); |     inputStream = xmlLoadExternalEntity(URL, NULL, pctxt); | ||||||
|     if (inputStream == NULL) { |     if (inputStream == NULL) { | ||||||
| 	xmlFreeParserCtxt(pctxt); | 	xmlFreeParserCtxt(pctxt); | ||||||
| @@ -1806,6 +1810,10 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { | |||||||
|     xmlParserInputPtr inputStream; |     xmlParserInputPtr inputStream; | ||||||
|     int xinclude_multibyte_fallback_used = 0; |     int xinclude_multibyte_fallback_used = 0; | ||||||
|  |  | ||||||
|  |     /* Don't read from stdin. */ | ||||||
|  |     if (xmlStrcmp(url, BAD_CAST "-") == 0) | ||||||
|  |         url = BAD_CAST "./-"; | ||||||
|  |  | ||||||
|     /* |     /* | ||||||
|      * Check the URL and remove any fragment identifier |      * Check the URL and remove any fragment identifier | ||||||
|      */ |      */ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user