Commit e91cbcf6 authored by Nick Wellnhofer's avatar Nick Wellnhofer

Don't read external entities or XIncludes from stdin

The file input callbacks try to read from stdin if "-" is passed as URL.
This should never be done when loading indirect resources like external
entities or XIncludes. Unfortunately, the stdin substitution happens
deep inside the IO code, so we simply replace "-" with "./-" in specific
locations.

This issue also affects other users of the library like libxslt.
Ideally, stdin should only be substituted on explicit request. But more
intrusive changes could break existing code.

Closes #90 and #102.
parent 6705f4d2
......@@ -14004,6 +14004,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
ctxt->input_id = pctx->input_id + 1;
}
/* Don't read from stdin. */
if (xmlStrcmp(URL, BAD_CAST "-") == 0)
URL = BAD_CAST "./-";
uri = xmlBuildURI(URL, base);
if (uri == NULL) {
......
......@@ -449,6 +449,10 @@ xmlXIncludeParseFile(xmlXIncludeCtxtPtr ctxt, const char *URL) {
xmlCtxtUseOptions(pctxt, ctxt->parseFlags | XML_PARSE_DTDLOAD);
/* Don't read from stdin. */
if ((URL != NULL) && (strcmp(URL, "-") == 0))
URL = "./-";
inputStream = xmlLoadExternalEntity(URL, NULL, pctxt);
if (inputStream == NULL) {
xmlFreeParserCtxt(pctxt);
......@@ -1806,6 +1810,10 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) {
xmlParserInputPtr inputStream;
int xinclude_multibyte_fallback_used = 0;
/* Don't read from stdin. */
if (xmlStrcmp(url, BAD_CAST "-") == 0)
url = BAD_CAST "./-";
/*
* Check the URL and remove any fragment identifier
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment