Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Browse Source 
The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack.  Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42
pull/1790/head
George Joseph 2 months ago
parent 74d62161c5
commit c92ae66905
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File

6
main/xml.c
Unescape View File

@ -99,7 +99,7 @@ struct ast_xml_doc *ast_xml_open(char *filename)
return NULL;
}
doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
if (!doc) {
return NULL;
}
@ -503,7 +503,7 @@ struct ast_xslt_doc *ast_xslt_open(char *filename)
xsltStylesheet *xslt;
xmlDoc *xml;
xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
if (!xml) {
return NULL;
}
@ -531,7 +531,7 @@ struct ast_xslt_doc *ast_xslt_read_memory(char *buffer, size_t size)
return NULL;
}
doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
if (!doc) {
return NULL;
}

Write Preview
Loading…
Cancel
Save