33 lines
1.3 KiB
Diff
33 lines
1.3 KiB
Diff
From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Pipping <sebastian@pipping.org>
|
|
Date: Sat, 12 Feb 2022 01:09:29 +0100
|
|
Subject: [PATCH] lib: Protect against malicious namespace declarations
|
|
(CVE-2022-25236)
|
|
|
|
---
|
|
lib/xmlparse.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
index c768f856..a3aef88c 100644
|
|
--- a/lib/xmlparse.c
|
|
+++ b/lib/xmlparse.c
|
|
@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
|
if (! mustBeXML && isXMLNS
|
|
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
|
|
isXMLNS = XML_FALSE;
|
|
+
|
|
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
|
|
+ // we have to at least make sure that the XML processor on top of
|
|
+ // Expat (that is splitting tag names by namespace separator into
|
|
+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
|
|
+ // by an attacker putting additional namespace separator characters
|
|
+ // into namespace declarations. That would be ambiguous and not to
|
|
+ // be expected.
|
|
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
|
|
+ return XML_ERROR_SYNTAX;
|
|
+ }
|
|
}
|
|
isXML = isXML && len == xmlLen;
|
|
isXMLNS = isXMLNS && len == xmlnsLen;
|