LSN-2014-0003: Don't expand entities when parsing XML

If the XML_PARSE_NOENT flag is passed to libxml2, then any entities in the input document will be fully expanded. This allows the user to read arbitrary files on the host machine by creating an entity pointing to a local file. Removing the XML_PARSE_NOENT flag means that any entities are left unchanged by the parser, or expanded to "" by the XPath APIs. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit d6b27d3e4c40946efa79e91d134616b41b1666c4)
author: Daniel P. Berrange <berrange@redhat.com> 2014-04-15 11:20:29 +0100
committer: Eric Blake <eblake@redhat.com> 2014-09-17 22:14:59 -0600
commit: 16fc426a27d88bbdc96c307c7ef0cce25e8ae717 (patch)
tree: dc7582c76c08ab4941e46ef8a99c697b9365fe91
parent: e22f1c2e13523c830dc5f26c87e644b4a0dfd1df (diff)
download: libvirt-16fc426a27d88bbdc96c307c7ef0cce25e8ae717.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/util/virxml.c b/src/util/virxml.c
index aa55a33874..613e8f0d73 100644
--- a/src/util/virxml.c
+++ b/src/util/virxml.c
@@ -749,11 +749,11 @@ virXMLParseHelper(int domcode,
 
     if (filename) {
         xml = xmlCtxtReadFile(pctxt, filename, NULL,
-                              XML_PARSE_NOENT | XML_PARSE_NONET |
+                              XML_PARSE_NONET |
                               XML_PARSE_NOWARNING);
     } else {
         xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
-                             XML_PARSE_NOENT | XML_PARSE_NONET |
+                             XML_PARSE_NONET |
                              XML_PARSE_NOWARNING);
     }
     if (!xml)
author	Daniel P. Berrange <berrange@redhat.com>	2014-04-15 11:20:29 +0100
committer	Eric Blake <eblake@redhat.com>	2014-09-17 22:14:59 -0600
commit	16fc426a27d88bbdc96c307c7ef0cce25e8ae717 (patch)
tree	dc7582c76c08ab4941e46ef8a99c697b9365fe91
parent	e22f1c2e13523c830dc5f26c87e644b4a0dfd1df (diff)
download	libvirt-16fc426a27d88bbdc96c307c7ef0cce25e8ae717.tar.gz