Re: [xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix

[More investigation follows. Writing from a different machine, so cannot reply to my own email]


The issue, brief summary: upgrade of libxml2 from 2.7.6-14.el6 to 2.7.6-14.el6_5.1 (RHEL6) broke the --postvalid/--dtdvalid options.


Minimal test case:



<?xml version="1.0"?>

<!-- vi: set sw=2 : -->

<!DOCTYPE a SYSTEM "a.dtd">







<!ELEMENT a (b|c)>

<!ENTITY % base.dtd SYSTEM "b.dtd">








This command works:

xmllint --valid --noout --dtdvalid a.dtd a.xml


This command doesn't:

xmllint --postvalid --noout --dtdvalid a.dtd a.xml

a.xml:5: element b: validity error : No declaration for element b

Document a.xml does not validate against a.dtd


The problem:

1. With --postvalid (and similarly treated options --dtdvalid, --dtdvalidfpi) the XML_PARSE_DTDVALID is not set. Instead, XML_PARSE_DTDLOAD is set (the validation is performed after loading of the XML document). Solution: the xmlParserHandlePEReference() should also check for XML_PARSE_DTDLOAD or the parsed entities defined in the nested DTDs will not load.


2. Even with parsed entities loaded, the validation then fails: the xmlParserHandlePEReference() is called during the post-validation with the ctxt->options equal to zero when loading a separate DTD (e.g. due to --dtdvalid option) via the xmlSAXParseDTD(). Solution: xmlSAXParseDTD() should set the ctxt->options to XML_PARSE_DTDLOAD - after all, xmlSAXParseDTD *is* loading the DTD.


3. The comment in the xmlParserHandlePEReference() is an obvious copy-paste: it refers to parsed entities while the code actually handles parameter entities. Solution: fix the comment :)


Updated patch attached (against RHEL version of 2.7.6 - will update to git version of libxml2 if needed).




Attachment: libxml2-Fix-postvalidation-with-parameter-entitites.patch
Description: Text Data

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]