From 4c2b237174539db92f4504fbc5198d2f1561baca Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 6 Jul 2024 01:03:46 +0200
Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code

Some users set an entity's children manually in the getEntity SAX
callback to restrict entity expansion. This stopped working after
renaming the "checked" member of xmlEntity, making at least one
downstream project and its dependants susceptible to XXE attacks.

See #761.
---
 parser.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/parser.c b/parser.c
index fe0ff4e2d..58ad02dbc 100644
--- a/parser.c
+++ b/parser.c
@@ -7280,6 +7280,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
 	return;
     }
 
+    /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
     /*
      * The first reference to the entity trigger a parsing phase
      * where the ent->children is filled with the result from
-- 
GitLab