[libxml2] Don't read external entities or XIncludes from stdin

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Don't read external entities or XIncludes from stdin
Date: Fri, 20 Sep 2019 13:13:02 +0000 (UTC)

commit e91cbcf63933d1f3b8ab97a500321edd20f35e97
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Fri Sep 20 12:44:17 2019 +0200

    Don't read external entities or XIncludes from stdin
    
    The file input callbacks try to read from stdin if "-" is passed as URL.
    This should never be done when loading indirect resources like external
    entities or XIncludes. Unfortunately, the stdin substitution happens
    deep inside the IO code, so we simply replace "-" with "./-" in specific
    locations.
    
    This issue also affects other users of the library like libxslt.
    Ideally, stdin should only be substituted on explicit request. But more
    intrusive changes could break existing code.
    
    Closes #90 and #102.

 parser.c   | 4 ++++
 xinclude.c | 8 ++++++++
 2 files changed, 12 insertions(+)
---
diff --git a/parser.c b/parser.c
index 26d9f4e3..7d70e267 100644
--- a/parser.c
+++ b/parser.c
@@ -14004,6 +14004,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
        ctxt->input_id = pctx->input_id + 1;
     }
 
+    /* Don't read from stdin. */
+    if (xmlStrcmp(URL, BAD_CAST "-") == 0)
+        URL = BAD_CAST "./-";
+
     uri = xmlBuildURI(URL, base);
 
     if (uri == NULL) {
diff --git a/xinclude.c b/xinclude.c
index b8e84ec3..c3a1854e 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -449,6 +449,10 @@ xmlXIncludeParseFile(xmlXIncludeCtxtPtr ctxt, const char *URL) {
 
     xmlCtxtUseOptions(pctxt, ctxt->parseFlags | XML_PARSE_DTDLOAD);
 
+    /* Don't read from stdin. */
+    if ((URL != NULL) && (strcmp(URL, "-") == 0))
+        URL = "./-";
+
     inputStream = xmlLoadExternalEntity(URL, NULL, pctxt);
     if (inputStream == NULL) {
        xmlFreeParserCtxt(pctxt);
@@ -1806,6 +1810,10 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) {
     xmlParserInputPtr inputStream;
     int xinclude_multibyte_fallback_used = 0;
 
+    /* Don't read from stdin. */
+    if (xmlStrcmp(url, BAD_CAST "-") == 0)
+        url = BAD_CAST "./-";
+
     /*
      * Check the URL and remove any fragment identifier
      */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]