tree: Don't call xmlNewCharRef in xmlNodeParseContent

xmlNewCharRef also tries to handle strings like '&name;' but in xmlNodeParseContentInternal, we really want to use the possibly invalid name without modification. Otherwise, content like '&"' could create a reference to a predefined entity.
2025-03-28 21:33:13 +00:00 · 2024-04-30 15:53:08 +02:00 · 2024-04-30 15:53:08 +02:00 · 619e2808b5
commit 619e2808b5
parent ae960cac96
1 changed files with 48 additions and 24 deletions
--- a/tree.c
+++ b/tree.c
@ -55,6 +55,9 @@ int __xmlRegisterCallbacks = 0;
 *									*
 ************************************************************************/

+static xmlNodePtr
+xmlNewEntityRef(xmlDocPtr doc, xmlChar *name);
+
 static xmlNsPtr
 xmlNewReconciledNs(xmlNodePtr tree, xmlNsPtr ns);

@ -1339,7 +1342,8 @@ xmlNodeParseContentInternal(const xmlDoc *doc, xmlNodePtr parent,
 			/*
 			 * Create a new REFERENCE_REF node
 			 */
-			node = xmlNewCharRef((xmlDocPtr) doc, val);
+			node = xmlNewEntityRef((xmlDocPtr) doc, val);
+                        val = NULL;
 			if (node == NULL)
 			    goto out;
                        node->parent = parent;
@ -2363,6 +2367,42 @@ xmlNewTextChild(xmlNodePtr parent, xmlNsPtr ns,
 }
 #endif /* LIBXML_TREE_ENABLED */

+/**
+ * xmlNewEntityRef:
+ * @doc: the target document (optional)
+ * @name:  the entity name
+ *
+ * Create an empty entity reference node. This function doesn't attempt
+ * to look up the entity in @doc.
+ *
+ * @name is consumed.
+ *
+ * Returns a pointer to the new node object or NULL if arguments are
+ * invalid or a memory allocation failed.
+ */
+static xmlNodePtr
+xmlNewEntityRef(xmlDocPtr doc, xmlChar *name) {
+    xmlNodePtr cur;
+
+    /*
+     * Allocate a new node and fill the fields.
+     */
+    cur = (xmlNodePtr) xmlMalloc(sizeof(xmlNode));
+    if (cur == NULL) {
+        xmlFree(name);
+	return(NULL);
+    }
+    memset(cur, 0, sizeof(xmlNode));
+    cur->type = XML_ENTITY_REF_NODE;
+    cur->doc = doc;
+    cur->name = name;
+
+    if ((__xmlRegisterCallbacks) && (xmlRegisterNodeDefaultValue))
+	xmlRegisterNodeDefaultValue(cur);
+
+    return(cur);
+}
+
 /**
 * xmlNewCharRef:
 * @doc: the target document (optional)
@ -2381,41 +2421,25 @@ xmlNewTextChild(xmlNodePtr parent, xmlNsPtr ns,
 */
 xmlNodePtr
 xmlNewCharRef(xmlDocPtr doc, const xmlChar *name) {
-    xmlNodePtr cur;
+    xmlChar *copy;

    if (name == NULL)
        return(NULL);

-    /*
-     * Allocate a new node and fill the fields.
-     */
-    cur = (xmlNodePtr) xmlMalloc(sizeof(xmlNode));
-    if (cur == NULL)
-	return(NULL);
-    memset(cur, 0, sizeof(xmlNode));
-    cur->type = XML_ENTITY_REF_NODE;
-
-    cur->doc = doc;
    if (name[0] == '&') {
        int len;
        name++;
 	len = xmlStrlen(name);
 	if (name[len - 1] == ';')
-	    cur->name = xmlStrndup(name, len - 1);
+	    copy = xmlStrndup(name, len - 1);
 	else
-	    cur->name = xmlStrndup(name, len);
+	    copy = xmlStrndup(name, len);
    } else
-	cur->name = xmlStrdup(name);
-    if (cur->name == NULL)
-        goto error;
+	copy = xmlStrdup(name);
+    if (copy == NULL)
+        return(NULL);

-    if ((__xmlRegisterCallbacks) && (xmlRegisterNodeDefaultValue))
-	xmlRegisterNodeDefaultValue(cur);
-    return(cur);
-
-error:
-    xmlFreeNode(cur);
-    return(NULL);
+    return(xmlNewEntityRef(doc, copy));
 }

 /**