kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-02-11 18:55:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Browse Source 
The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack.  Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42
This commit is contained in:
George Joseph
2026-01-15 08:38:26 -07:00
parent 1ee5fe13b6
commit 53b675763c
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
main/xml.c
View File

@@ -99,7 +99,7 @@ struct ast_xml_doc *ast_xml_open(char *filename)
return NULL;
}
doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
if (!doc) {
return NULL;
}
@@ -503,7 +503,7 @@ struct ast_xslt_doc *ast_xslt_open(char *filename)
xsltStylesheet *xslt;
xmlDoc *xml;
xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
if (!xml) {
return NULL;
}
@@ -531,7 +531,7 @@ struct ast_xslt_doc *ast_xslt_read_memory(char *buffer, size_t size)
return NULL;
}
doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
if (!doc) {
return NULL;
}