Commit 4629ee02 authored by Daniel Veillard's avatar Daniel Veillard

Do not fetch external parsed entities

Unless explicietely asked for when validating or replacing entities
with their value. Problem pointed out by Tom Lane <tgl@redhat.com>

* parser.c: do not load external parsed entities unless needed
* test/errors/extparsedent.xml result/errors/extparsedent.xml*:
  add a regression test to avoid change of the behaviour in the future
parent baaf03f8
......@@ -6927,8 +6927,15 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
* The first reference to the entity trigger a parsing phase
* where the ent->children is filled with the result from
* the parsing.
*/
if (ent->checked == 0) {
* Note: external parsed entities will not be loaded, it is not
* required for a non-validating parser, unless the parsing option
* of validating, or substituting entities were given. Doing so is
* far more secure as the parser will only process data coming from
* the document entity by default.
*/
if ((ent->checked == 0) &&
((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
(ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
unsigned long oldnbent = ctxt->nbentities;
/*
......
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY c PUBLIC "bar" "/etc/doesnotexist">
]>
<root>&c;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY c PUBLIC "bar" "/etc/doesnotexist">
]>
<root>&c;</root>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment