38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
From 4c2b237174539db92f4504fbc5198d2f1561baca Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Sat, 6 Jul 2024 01:03:46 +0200
|
|
Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
|
|
|
|
Some users set an entity's children manually in the getEntity SAX
|
|
callback to restrict entity expansion. This stopped working after
|
|
renaming the "checked" member of xmlEntity, making at least one
|
|
downstream project and its dependants susceptible to XXE attacks.
|
|
|
|
See #761.
|
|
---
|
|
parser.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/parser.c b/parser.c
|
|
index fe0ff4e2d..58ad02dbc 100644
|
|
--- a/parser.c
|
|
+++ b/parser.c
|
|
@@ -7280,6 +7280,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
|
|
return;
|
|
}
|
|
|
|
+ /*
|
|
+ * Some users try to parse entities on their own and used to set
|
|
+ * the renamed "checked" member. Fix the flags to cover this
|
|
+ * case.
|
|
+ */
|
|
+ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
|
|
+ ent->flags |= XML_ENT_PARSED;
|
|
+
|
|
/*
|
|
* The first reference to the entity trigger a parsing phase
|
|
* where the ent->children is filled with the result from
|
|
--
|
|
GitLab
|
|
|