forked from pool/libvirt
35 lines
1.4 KiB
Diff
35 lines
1.4 KiB
Diff
|
commit d6b27d3e4c40946efa79e91d134616b41b1666c4
|
||
|
Author: Daniel P. Berrange <berrange@redhat.com>
|
||
|
Date: Tue Apr 15 11:20:29 2014 +0100
|
||
|
|
||
|
LSN-2014-0003: Don't expand entities when parsing XML
|
||
|
|
||
|
If the XML_PARSE_NOENT flag is passed to libxml2, then any
|
||
|
entities in the input document will be fully expanded. This
|
||
|
allows the user to read arbitrary files on the host machine
|
||
|
by creating an entity pointing to a local file. Removing
|
||
|
the XML_PARSE_NOENT flag means that any entities are left
|
||
|
unchanged by the parser, or expanded to "" by the XPath
|
||
|
APIs.
|
||
|
|
||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||
|
|
||
|
Index: libvirt-1.2.3/src/util/virxml.c
|
||
|
===================================================================
|
||
|
--- libvirt-1.2.3.orig/src/util/virxml.c
|
||
|
+++ libvirt-1.2.3/src/util/virxml.c
|
||
|
@@ -746,11 +746,11 @@ virXMLParseHelper(int domcode,
|
||
|
|
||
|
if (filename) {
|
||
|
xml = xmlCtxtReadFile(pctxt, filename, NULL,
|
||
|
- XML_PARSE_NOENT | XML_PARSE_NONET |
|
||
|
+ XML_PARSE_NONET |
|
||
|
XML_PARSE_NOWARNING);
|
||
|
} else {
|
||
|
xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
|
||
|
- XML_PARSE_NOENT | XML_PARSE_NONET |
|
||
|
+ XML_PARSE_NONET |
|
||
|
XML_PARSE_NOWARNING);
|
||
|
}
|
||
|
if (!xml)
|