diff options
| author | Sebastian Pipping <sebastian@pipping.org> | 2022-02-12 01:09:29 +0100 |
|---|---|---|
| committer | Sebastian Pipping <sebastian@pipping.org> | 2022-02-16 02:07:19 +0100 |
| commit | a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 (patch) | |
| tree | 84cd8cfb19c1d93299491c7f6d008ba5d12dc32a | |
| parent | 6881a4fc8596307ab9ff2e85e605afa2e413ab71 (diff) | |
| download | libexpat-git-a2fe525e660badd64b6c557c2b1ec26ddc07f6e4.tar.gz | |
lib: Protect against malicious namespace declarations (CVE-2022-25236)
| -rw-r--r-- | expat/lib/xmlparse.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index c768f856..a3aef88c 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, if (! mustBeXML && isXMLNS && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) isXMLNS = XML_FALSE; + + // NOTE: While Expat does not validate namespace URIs against RFC 3986, + // we have to at least make sure that the XML processor on top of + // Expat (that is splitting tag names by namespace separator into + // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused + // by an attacker putting additional namespace separator characters + // into namespace declarations. That would be ambiguous and not to + // be expected. + if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { + return XML_ERROR_SYNTAX; + } } isXML = isXML && len == xmlLen; isXMLNS = isXMLNS && len == xmlnsLen; |