File CVE-2015-3451.patch of Package perl-XML-LibXML

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-3451.patch of Package perl-XML-LibXML

# HG changeset patch
# User Shlomi Fish <shlomif@shlomifish.org>
# Date 1429773082 -10800
# Node ID 5962fd067580767777e94640b129ae8930a68a30
# Parent  bf6083003fdd0b27f17929ce3669d7f85e3a38db
Preserve unset options after a _clone() call (e.g: in load_xml()).

Index: XML-LibXML-2.0019/LibXML.pm
===================================================================
--- XML-LibXML-2.0019.orig/LibXML.pm
+++ XML-LibXML-2.0019/LibXML.pm
@@ -392,9 +392,13 @@ sub _clone {
       line_numbers => $self->{XML_LIBXML_LINENUMBERS},
       base_uri => $self->{XML_LIBXML_BASE_URI},
       gdome => $self->{XML_LIBXML_GDOME},
-      set_parser_flags => $self->{XML_LIBXML_PARSER_OPTIONS},
     });
+  # The parser options may contain some options that were zeroed from the
+  # defaults so set_parser_flags won't work here. We need to assign them
+  # explicitly.
+  $new->{XML_LIBXML_PARSER_OPTIONS} = $self->{XML_LIBXML_PARSER_OPTIONS};
   $new->input_callbacks($self->input_callbacks());
+
   return $new;
 }
 
Index: XML-LibXML-2.0019/t/43options.t
===================================================================
--- XML-LibXML-2.0019.orig/t/43options.t
+++ XML-LibXML-2.0019/t/43options.t
@@ -3,7 +3,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 289;
+use Test::More tests => 290;
 
 use XML::LibXML;
 
@@ -162,6 +162,46 @@ no_network
 }
 
 {
+  my $XML = <<'EOT';
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+   <title>XXE</title>
+   <link>example.com</link>
+   <description>XXE</description>
+   <item>
+       <title>&xxe;</title>
+       <link>example.com</link>
+       <description>XXE here</description>
+   </item>
+</channel>
+</rss>
+EOT
+
+       my $sys_line = <<'EOT';
+<!ENTITY xxe SYSTEM "file:///etc/passwd"
+EOT
+
+       chomp ($sys_line);
+
+       my $parser = XML::LibXML->new(
+             expand_entities => 0,
+             load_ext_dtd    => 0,
+             no_network      => 1,
+             expand_xinclude => 0,
+         );
+       my $XML_DOC = $parser->load_xml( string => $XML, );
+
+       # TEST
+       like (scalar($XML_DOC->toString()), qr/\Q$sys_line\E/,
+             "expand_entities is preserved after _clone()/etc."
+         );
+}
+
+{
+
   my $p = XML::LibXML->new(map { $_=>0 } @all);
   for my $opt (@all) {
     # TEST*$all

Places

File CVE-2015-3451.patch of Package perl-XML-LibXML

Places