From 4629ee02ac649c27f9c0cf98ba017c6b5526070f Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 23 Jul 2012 14:15:40 +0800 Subject: [PATCH] Do not fetch external parsed entities Unless explicietely asked for when validating or replacing entities with their value. Problem pointed out by Tom Lane * parser.c: do not load external parsed entities unless needed * test/errors/extparsedent.xml result/errors/extparsedent.xml*: add a regression test to avoid change of the behaviour in the future --- parser.c | 9 ++++++++- result/errors/extparsedent.xml | 5 +++++ result/errors/extparsedent.xml.err | 0 result/errors/extparsedent.xml.str | 0 test/errors/extparsedent.xml | 5 +++++ 5 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 result/errors/extparsedent.xml create mode 100644 result/errors/extparsedent.xml.err create mode 100644 result/errors/extparsedent.xml.str create mode 100644 test/errors/extparsedent.xml diff --git a/parser.c b/parser.c index 98632757..a0183f24 100644 --- a/parser.c +++ b/parser.c @@ -6927,8 +6927,15 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { * The first reference to the entity trigger a parsing phase * where the ent->children is filled with the result from * the parsing. + * Note: external parsed entities will not be loaded, it is not + * required for a non-validating parser, unless the parsing option + * of validating, or substituting entities were given. Doing so is + * far more secure as the parser will only process data coming from + * the document entity by default. */ - if (ent->checked == 0) { + if ((ent->checked == 0) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { unsigned long oldnbent = ctxt->nbentities; /* diff --git a/result/errors/extparsedent.xml b/result/errors/extparsedent.xml new file mode 100644 index 00000000..07e4c54b --- /dev/null +++ b/result/errors/extparsedent.xml @@ -0,0 +1,5 @@ + + +]> +&c; diff --git a/result/errors/extparsedent.xml.err b/result/errors/extparsedent.xml.err new file mode 100644 index 00000000..e69de29b diff --git a/result/errors/extparsedent.xml.str b/result/errors/extparsedent.xml.str new file mode 100644 index 00000000..e69de29b diff --git a/test/errors/extparsedent.xml b/test/errors/extparsedent.xml new file mode 100644 index 00000000..07e4c54b --- /dev/null +++ b/test/errors/extparsedent.xml @@ -0,0 +1,5 @@ + + +]> +&c;