xmllint: external entity problems for directory names containing spaces on the command line
libxml2 2.9.4 to 2.9.10 at least doesn't handle directory names containing spaces correctly (old bug 668245 on GNOME's Bugzilla and Debian bug 516916).
Consider the "/tmp/a b
" directory with files book.xml
:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE book [
<!ENTITY preface SYSTEM "preface.xml">
]>
<book>
&preface;
</book>
and preface.xml
:
<?xml version="1.0" encoding="utf-8"?>
<preface>
<title>About this document</title>
</preface>
From this directory, xmllint --noent "/tmp/a b/book.xml"
succeeds, but not outside of this directory:
$ xmllint --noent "/tmp/a b/book.xml"
warning: failed to load external entity "preface.xml"
/tmp/a b/book.xml:6: parser error : Failure to process entity preface
&preface;
^
/tmp/a b/book.xml:6: parser error : Entity 'preface' not defined
&preface;
^
The error disappears if one replaces the space by %20
, i.e. xmllint --noent "/tmp/a%20b/book.xml"
. However, strace xmllint --noent "/tmp/a%20b/book.xml"
shows that xmllint
first tries /tmp/a%20b/book.xml
and /tmp/a%20b/preface.xml
before considering /tmp/a b/book.xml
and /tmp/a b/preface.xml
respectively. This means that wrong files may be opened, with possible security implications. Thus this is not a correct workaround.