Fix XML encoding of 'identity display' in NOTIFY messages.

XML encoding in chan_sip is accomplished by naively building the XML directly from strings. While this usually works, it fails to take into account escaping the reserved characters in XML. This patch adds an 'ast_xml_escape' function, which works similarly to 'ast_uri_encode'. This is used to properly escape the local_display attribute in XML formatted NOTIFY messages. Several things to note: * The Right Thing(TM) to do would probably be to replace the ast_build_string stuff with building an ast_xml_doc. That's a much bigger change, and out of scope for the original ticket, so I refrained myself. * It is with great sadness that I wrote my own ast_xml_escape function. There's one in libxml2, but it's knee-deep in libxml2-ness, and not easily used to one-off escape a string. * I only escaped the string we know is causing problems (local_display). At least some of the other strings are URI-encoded, which should be XML safe. Rather than figuring out what's safe and escaping what's not, it would be much cleaner to simply build an ast_xml_doc for the messages and let the XML library do the XML escaping. Like I said, that's out of scope. (closes issue ABE-2902) Reported by: Guenther Kelleter Tested by: Guenther Kelleter Review: http://reviewboard.digium.internal/r/365/ ........ Merged revision 378919 from https://origsvn.digium.com/svn/asterisk/be/branches/C.3-bier git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@378933 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-11-10 03:48:34 +00:00 · 2013-01-12 06:26:34 +00:00
parent f6404e6e15
commit c5aee60db5
4 changed files with 205 additions and 6 deletions
--- a/include/asterisk/utils.h
+++ b/include/asterisk/utils.h
@@ -248,9 +248,9 @@ int ast_base64encode(char *dst, const unsigned char *src, int srclen, int max);
 */
 int ast_base64decode(unsigned char *dst, const char *src, int max);

-/*! \brief Turn text string to URI-encoded %XX version 
+/*! \brief Turn text string to URI-encoded %XX version
 *
- * \note 
+ * \note
 *  At this point, this function is encoding agnostic; it does not
 *  check whether it is fed legal UTF-8. We escape control
 *  characters (\x00-\x1F\x7F), '%', and all characters above 0x7F.
@@ -269,10 +269,24 @@ int ast_base64decode(unsigned char *dst, const char *src, int max);
 char *ast_uri_encode(const char *string, char *outbuf, int buflen, int do_special_char);

 /*!	\brief Decode URI, URN, URL (overwrite string)
-	\param s	String to be decoded 
+	\param s	String to be decoded
 */
 void ast_uri_decode(char *s);

+/*! ast_xml_escape
+	\brief Escape reserved characters for use in XML.
+
+	If \a outbuf is too short, the output string will be truncated.
+	Regardless, the output will always be null terminated.
+
+	\param string String to be converted
+	\param outbuf Resulting encoded string
+	\param buflen Size of output buffer
+	\return 0 for success
+	\return -1 if buflen is too short.
+ */
+int ast_xml_escape(const char *string, char *outbuf, size_t buflen);
+
 /*!
 * \brief Escape characters found in a quoted string.
 *