38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
|
From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||
|
|
Date: Sat, 6 Jul 2024 01:03:46 +0200
|
||
|
|
Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
|
||
|
|
|
||
|
|
Some users set an entity's children manually in the getEntity SAX
|
||
|
|
callback to restrict entity expansion. This stopped working after
|
||
|
|
renaming the "checked" member of xmlEntity, making at least one
|
||
|
|
downstream project and its dependants susceptible to XXE attacks.
|
||
|
|
|
||
|
|
See #761.
|
||
|
|
---
|
||
|
|
parser.c | 8 ++++++++
|
||
|
|
1 file changed, 8 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/parser.c b/parser.c
|
||
|
|
index 4feb21a28..8fe0a064d 100644
|
||
|
|
--- a/parser.c
|
||
|
|
+++ b/parser.c
|
||
|
|
@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
+ /*
|
||
|
|
+ * Some users try to parse entities on their own and used to set
|
||
|
|
+ * the renamed "checked" member. Fix the flags to cover this
|
||
|
|
+ * case.
|
||
|
|
+ */
|
||
|
|
+ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
|
||
|
|
+ ent->flags |= XML_ENT_PARSED;
|
||
|
|
+
|
||
|
|
/*
|
||
|
|
* The first reference to the entity trigger a parsing phase
|
||
|
|
* where the ent->children is filled with the result from
|
||
|
|
--
|
||
|
|
GitLab
|
||
|
|
|