libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading even local"
The new flag doesn't work and the change even broke the XML_PARSE_NONET option. (From OE-Core rev: 8b586f60778579ee2c9adae429128a07e8437553) (From OE-Core rev: d2b1486bf8773d3eef36c5e77b82e70c88d9c682) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
a602b9f748
commit
6c657b8441
|
@ -1,207 +0,0 @@
|
|||
From 7fa1cd31552d52d50a9101f07c816ff6dd2d9f19 Mon Sep 17 00:00:00 2001
|
||||
From: Doran Moppert <dmoppert@redhat.com>
|
||||
Date: Fri, 7 Apr 2017 16:45:56 +0200
|
||||
Subject: [PATCH] Add an XML_PARSE_NOXXE flag to block all entities loading
|
||||
even local
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=772726
|
||||
|
||||
* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
|
||||
* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
|
||||
* include/libxml/xmlerror.h: new error raised
|
||||
* xmllint.c: adds --noxxe flag to activate the option
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-9318
|
||||
|
||||
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
||||
---
|
||||
elfgcchack.h | 10 ++++++++++
|
||||
include/libxml/parser.h | 3 ++-
|
||||
include/libxml/xmlIO.h | 8 ++++++++
|
||||
include/libxml/xmlerror.h | 1 +
|
||||
parser.c | 4 ++++
|
||||
xmlIO.c | 40 +++++++++++++++++++++++++++++++++++-----
|
||||
xmllint.c | 5 +++++
|
||||
7 files changed, 65 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/elfgcchack.h b/elfgcchack.h
|
||||
index 8c52884..1b81dcd 100644
|
||||
--- a/elfgcchack.h
|
||||
+++ b/elfgcchack.h
|
||||
@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
|
||||
#endif
|
||||
#endif
|
||||
|
||||
+#ifdef bottom_xmlIO
|
||||
+#undef xmlNoXxeExternalEntityLoader
|
||||
+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
|
||||
+#else
|
||||
+#ifndef xmlNoXxeExternalEntityLoader
|
||||
+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
|
||||
+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#ifdef bottom_tree
|
||||
#undef xmlNodeAddContent
|
||||
extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
|
||||
diff --git a/include/libxml/parser.h b/include/libxml/parser.h
|
||||
index 47fbec0..63ca1b9 100644
|
||||
--- a/include/libxml/parser.h
|
||||
+++ b/include/libxml/parser.h
|
||||
@@ -1111,7 +1111,8 @@ typedef enum {
|
||||
XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
|
||||
XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
|
||||
XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
|
||||
- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
|
||||
+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
|
||||
+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
|
||||
} xmlParserOption;
|
||||
|
||||
XMLPUBFUN void XMLCALL
|
||||
diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
|
||||
index 3e41744..8d3fdef 100644
|
||||
--- a/include/libxml/xmlIO.h
|
||||
+++ b/include/libxml/xmlIO.h
|
||||
@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
|
||||
xmlParserCtxtPtr ctxt);
|
||||
|
||||
/*
|
||||
+ * A predefined entity loader external entity expansion
|
||||
+ */
|
||||
+XMLPUBFUN xmlParserInputPtr XMLCALL
|
||||
+ xmlNoXxeExternalEntityLoader (const char *URL,
|
||||
+ const char *ID,
|
||||
+ xmlParserCtxtPtr ctxt);
|
||||
+
|
||||
+/*
|
||||
* xmlNormalizeWindowsPath is obsolete, don't use it.
|
||||
* Check xmlCanonicPath in uri.h for a better alternative.
|
||||
*/
|
||||
diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
|
||||
index 037c16d..3036062 100644
|
||||
--- a/include/libxml/xmlerror.h
|
||||
+++ b/include/libxml/xmlerror.h
|
||||
@@ -470,6 +470,7 @@ typedef enum {
|
||||
XML_IO_EADDRINUSE, /* 1554 */
|
||||
XML_IO_EALREADY, /* 1555 */
|
||||
XML_IO_EAFNOSUPPORT, /* 1556 */
|
||||
+ XML_IO_ILLEGAL_XXE, /* 1557 */
|
||||
XML_XINCLUDE_RECURSION=1600,
|
||||
XML_XINCLUDE_PARSE_VALUE, /* 1601 */
|
||||
XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 53a6b7f..609a270 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
|
||||
ctxt->options |= XML_PARSE_NONET;
|
||||
options -= XML_PARSE_NONET;
|
||||
}
|
||||
+ if (options & XML_PARSE_NOXXE) {
|
||||
+ ctxt->options |= XML_PARSE_NOXXE;
|
||||
+ options -= XML_PARSE_NOXXE;
|
||||
+ }
|
||||
if (options & XML_PARSE_COMPACT) {
|
||||
ctxt->options |= XML_PARSE_COMPACT;
|
||||
options -= XML_PARSE_COMPACT;
|
||||
diff --git a/xmlIO.c b/xmlIO.c
|
||||
index 1a79c09..304f822 100644
|
||||
--- a/xmlIO.c
|
||||
+++ b/xmlIO.c
|
||||
@@ -210,6 +210,7 @@ static const char *IOerr[] = {
|
||||
"adddress in use", /* EADDRINUSE */
|
||||
"already in use", /* EALREADY */
|
||||
"unknown address familly", /* EAFNOSUPPORT */
|
||||
+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
|
||||
};
|
||||
|
||||
#if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
|
||||
@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
|
||||
xmlGenericError(xmlGenericErrorContext,
|
||||
"xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
|
||||
#endif
|
||||
- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
|
||||
+ if (ctxt != NULL) {
|
||||
int options = ctxt->options;
|
||||
|
||||
- ctxt->options -= XML_PARSE_NONET;
|
||||
- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
|
||||
- ctxt->options = options;
|
||||
- return(ret);
|
||||
+ if (options & XML_PARSE_NOXXE) {
|
||||
+ ctxt->options -= XML_PARSE_NOXXE;
|
||||
+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
|
||||
+ ctxt->options = options;
|
||||
+ return(ret);
|
||||
+ }
|
||||
+
|
||||
+ if (options & XML_PARSE_NONET) {
|
||||
+ ctxt->options -= XML_PARSE_NONET;
|
||||
+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
|
||||
+ ctxt->options = options;
|
||||
+ return(ret);
|
||||
+ }
|
||||
}
|
||||
#ifdef LIBXML_CATALOG_ENABLED
|
||||
resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
|
||||
@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
|
||||
xmlParserInputPtr input = NULL;
|
||||
xmlChar *resource = NULL;
|
||||
|
||||
+ if (ctxt == NULL) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
+ if (ctxt->input_id == 1) {
|
||||
+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
|
||||
+ }
|
||||
+
|
||||
#ifdef LIBXML_CATALOG_ENABLED
|
||||
resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
|
||||
#endif
|
||||
@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
|
||||
return(input);
|
||||
}
|
||||
|
||||
+xmlParserInputPtr
|
||||
+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
|
||||
+ xmlParserCtxtPtr ctxt) {
|
||||
+ if (ctxt == NULL) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
+ if (ctxt->input_id == 1) {
|
||||
+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
|
||||
+ }
|
||||
+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
|
||||
+ return(NULL);
|
||||
+}
|
||||
+
|
||||
#define bottom_xmlIO
|
||||
#include "elfgcchack.h"
|
||||
diff --git a/xmllint.c b/xmllint.c
|
||||
index 67f7adb..d9368c1 100644
|
||||
--- a/xmllint.c
|
||||
+++ b/xmllint.c
|
||||
@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
|
||||
printf("\t--path 'paths': provide a set of paths for resources\n");
|
||||
printf("\t--load-trace : print trace of all external entities loaded\n");
|
||||
printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
|
||||
+ printf("\t--noxxe : forbid any external entity loading\n");
|
||||
printf("\t--nocompact : do not generate compact text nodes\n");
|
||||
printf("\t--htmlout : output results as HTML\n");
|
||||
printf("\t--nowrap : do not put HTML doc wrapper\n");
|
||||
@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
|
||||
(!strcmp(argv[i], "--nonet"))) {
|
||||
options |= XML_PARSE_NONET;
|
||||
xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
|
||||
+ } else if ((!strcmp(argv[i], "-noxxe")) ||
|
||||
+ (!strcmp(argv[i], "--noxxe"))) {
|
||||
+ options |= XML_PARSE_NOXXE;
|
||||
+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
|
||||
} else if ((!strcmp(argv[i], "-nocompact")) ||
|
||||
(!strcmp(argv[i], "--nocompact"))) {
|
||||
options &= ~XML_PARSE_COMPACT;
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -28,7 +28,6 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
|
|||
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
|
||||
file://libxml2-CVE-2017-5969.patch \
|
||||
file://libxml2-CVE-2017-0663.patch \
|
||||
file://CVE-2016-9318.patch \
|
||||
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
|
||||
"
|
||||
|
||||
|
|
Loading…
Reference in New Issue