[xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix

Alexey Neyman Tue, 20 May 2014 19:21:13 -0700

Hi Daniel,

The fix for the CVE-2014-0191 broke the --postvalid option. In that case, DTDs 
are not loaded even though requested on the command line. This was the 
CVE-2014-0191 patch:


 
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

With --postvalid specified on the command line, the XML_PARSE_DTDVALID is not 
set in ctxt->options; instead, XML_PARSE_DTDLOAD is set). Same goes for the 
other options that set XML_PARSE_DTDLOAD, --dtdvalid and --dtdvalidfpi.

Patch attached.

Regards,
Alexey.

diff --git a/parser.c b/parser.c
index c0dea05..f368bb5 100644
--- a/parser.c
+++ b/parser.c
@@ -2608,6 +2608,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
                     if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 		        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
 			((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+			((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
 			(ctxt->validate == 0))
 			return;

_______________________________________________
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

[xml] [BUG] [PATCH] --postvalid broken after CVE-2014-0191 fix

Reply via email to