CVE-2012-0037

Enforce entity loading policy in raptor_libxml_resolveEntity
and raptor_libxml_getEntity by checking for file URIs and network URIs.

Add RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES / loadExternalEntities for
turning on loading of XML external entity loading, disabled by default.

This affects all the parsers that use SAX2: rdfxml, rss-tag-soup (and
aliases) and rdfa.

1 files changed, 3 insertions, 0 deletions

diff --git a/librdfa/rdfa.c b/librdfa/rdfa.c
index 8ec11144..be68b954 100644
--- a/librdfa/rdfa.c
+++ b/librdfa/rdfa.c
@@ -1230,6 +1230,9 @@ int rdfa_parse_start(rdfacontext* context)
      raptor_sax2_set_option(context->sax2,
                             RAPTOR_OPTION_NO_FILE, NULL,
                             RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_NO_FILE));
+     raptor_sax2_set_option(context->sax2,
+                            RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES, NULL,
+                            RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser, RAPTOR_OPTION_LOAD_EXTERNAL_ENTITIES));
      if(rdf_parser->uri_filter)
        raptor_sax2_set_uri_filter(context->sax2, rdf_parser->uri_filter,
                                   rdf_parser->uri_filter_user_data);