114377 2013-04-10 13:09:07 -0700 External XML entities are not loaded with modern libxml2 2013-06-03 12:37:53 -0700 1 1 1 Unclassified WebKit XML 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ap ap mrowe zan oldest_to_newest 873177 0 ap 2013-04-10 13:09:07 -0700 With ToT libxml2, I'm seeing http/tests/security/xss-DENIED-xml-external-entity.xhtml fail because it doesn't even attempt to load the file, and thus doesn't generate a failure message. <rdar://problem/13047266> 873178 1 ap 2013-04-10 13:09:42 -0700 The change in behavior was <https://git.gnome.org/browse/libxml2/commit/?id=4629ee02>. 873187 2 197394 ap 2013-04-10 13:18:35 -0700 Created attachment 197394 proposed fix There are many differences between createStringParser and createMemoryParser. I'm only fixing one, because I don't know if any of the other differences are intentional. Notably, I'm not adding XML_PARSE_NODICT - I checked the history, and I couldn't find the reason why createMemoryParser uses it. 873194 3 197394 darin 2013-04-10 13:24:21 -0700 Comment on attachment 197394 proposed fix View in context: https://bugs.webkit.org/attachment.cgi?id=197394&action=review > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:506 > + xmlCtxtUseOptions(parser, XML_PARSE_NOENT); It might be nice to have a comment explaining why this is the right option to use. > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:531 > // Copy the sax handler Wow, lame comment. > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:534 > xmlCtxtUseOptions(parser, XML_PARSE_NODICT | XML_PARSE_NOENT); It might still be nice to have a comment explaining why these are the right options to use. 873278 4 ap 2013-04-10 15:44:59 -0700 Committed <http://trac.webkit.org/r148144>. I changed comments a little, but I don't understand this code enough to explain everything about it. 896577 5 zan 2013-06-03 12:37:53 -0700 *** Bug 104680 has been marked as a duplicate of this bug. *** 197394 2013-04-10 13:18:35 -0700 2013-04-10 13:24:21 -0700 proposed fix PasreNoent.txt text/plain 2751 ap SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE0ODEzMikKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBACisyMDEzLTA0LTEwICBBbGV4ZXkg UHJvc2t1cnlha292ICA8YXBAYXBwbGUuY29tPgorCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8x MzA0NzI2Nj4gRXh0ZXJuYWwgWE1MIGVudGl0aWVzIGFyZSBub3QgbG9hZGVkIHdpdGggbW9kZXJu IGxpYnhtbDIKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTExNDM3NworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IENvdmVyZWQgYnkgaHR0cC90ZXN0cy9zZWN1cml0eS94c3MtREVOSUVELXhtbC1leHRlcm5hbC1l bnRpdHkueGh0bWwgd2hlbiB1c2luZworICAgICAgICBuZXcgZW5vdWdoIGxpYnhtbDIuCisKKyAg ICAgICAgKiB4bWwvcGFyc2VyL1hNTERvY3VtZW50UGFyc2VyTGlieG1sMi5jcHA6CisgICAgICAg IChXZWJDb3JlOjpzd2l0Y2hUb1VURjE2KTogQWRkZWQgYSBGSVhNRSB3aXRoIGFuIGlkZWEgZm9y IGltcHJvdmVtZW50LgorICAgICAgICAoV2ViQ29yZTo6WE1MUGFyc2VyQ29udGV4dDo6Y3JlYXRl U3RyaW5nUGFyc2VyKTogQXBwbHkgWE1MX1BBUlNFX05PRU5UIGluIGEgbm9uLWhhY2t5CisgICAg ICAgIHdheSwgc28gdGhhdCB0aGUgbmV3IGxpYnhtbDIgY2hlY2sgZG9lc24ndCBmYWlsLgorICAg ICAgICAoV2ViQ29yZTo6WE1MUGFyc2VyQ29udGV4dDo6Y3JlYXRlTWVtb3J5UGFyc2VyKTogUmVt b3ZlZCBhbiB1bmhlbHBmdWwgYW5kIGluY29ycmVjdAorICAgICAgICBjb21tZW50IChYTUxfUEFS U0VfTk9ESUNUIGFjdHVhbGx5IG1lYW5zICJEbyBub3QgcmV1c2UgdGhlIGNvbnRleHQgZGljdGlv bmFyeSIpLgorCiAyMDEzLTA0LTEwICBYYWJpZXIgUm9kcmlndWV6IENhbHZhciAgPGNhbHZhcmlz QGlnYWxpYS5jb20+CiAKICAgICAgICAgQ2xpY2tpbmcgb24gdGhlIHZvbHVtZSBzbGlkZXIgb2Yg SFRNTDUgZWxlbWVudHMgaXMgcGF1c2luZyBzb21ldGltZXMKSW5kZXg6IFNvdXJjZS9XZWJDb3Jl L3htbC9wYXJzZXIvWE1MRG9jdW1lbnRQYXJzZXJMaWJ4bWwyLmNwcAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBT b3VyY2UvV2ViQ29yZS94bWwvcGFyc2VyL1hNTERvY3VtZW50UGFyc2VyTGlieG1sMi5jcHAJKHJl dmlzaW9uIDE0ODEwMSkKKysrIFNvdXJjZS9XZWJDb3JlL3htbC9wYXJzZXIvWE1MRG9jdW1lbnRQ YXJzZXJMaWJ4bWwyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzgwLDYgKzM4MCw5IEBAIHN0YXRp YyB2b2lkIHN3aXRjaFRvVVRGMTYoeG1sUGFyc2VyQ3R4dFAKICAgICAvLyByZXNldHRpbmcgdGhl IGVuY29kaW5nIHRvIFVURi0xNiBiZWZvcmUgZXZlcnkgY2h1bmsuICBPdGhlcndpc2UgbGlieG1s CiAgICAgLy8gd2lsbCBkZXRlY3QgPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iPGVuY29k aW5nIG5hbWU+Ij8+IGJsb2NrcwogICAgIC8vIGFuZCBzd2l0Y2ggZW5jb2RpbmdzLCBjYXVzaW5n IHRoZSBwYXJzZSB0byBmYWlsLgorCisgICAgLy8gRklYTUU6IENhbiB3ZSBqdXN0IHVzZSBYTUxf UEFSU0VfSUdOT1JFX0VOQyBub3c/CisKICAgICBjb25zdCBVQ2hhciBCT00gPSAweEZFRkY7CiAg ICAgY29uc3QgdW5zaWduZWQgY2hhciBCT01IaWdoQnl0ZSA9ICpyZWludGVycHJldF9jYXN0PGNv bnN0IHVuc2lnbmVkIGNoYXIqPigmQk9NKTsKICAgICB4bWxTd2l0Y2hFbmNvZGluZyhjdHh0LCBC T01IaWdoQnl0ZSA9PSAweEZGID8gWE1MX0NIQVJfRU5DT0RJTkdfVVRGMTZMRSA6IFhNTF9DSEFS X0VOQ09ESU5HX1VURjE2QkUpOwpAQCAtNDk5LDcgKzUwMiw5IEBAIFBhc3NSZWZQdHI8WE1MUGFy c2VyQ29udGV4dD4gWE1MUGFyc2VyQ28KIAogICAgIHhtbFBhcnNlckN0eHRQdHIgcGFyc2VyID0g eG1sQ3JlYXRlUHVzaFBhcnNlckN0eHQoaGFuZGxlcnMsIDAsIDAsIDAsIDApOwogICAgIHBhcnNl ci0+X3ByaXZhdGUgPSB1c2VyRGF0YTsKLSAgICBwYXJzZXItPnJlcGxhY2VFbnRpdGllcyA9IHRy dWU7CisKKyAgICB4bWxDdHh0VXNlT3B0aW9ucyhwYXJzZXIsIFhNTF9QQVJTRV9OT0VOVCk7CisK ICAgICBzd2l0Y2hUb1VURjE2KHBhcnNlcik7CiAKICAgICByZXR1cm4gYWRvcHRSZWYobmV3IFhN TFBhcnNlckNvbnRleHQocGFyc2VyKSk7CkBAIC01MjYsOSArNTMxLDYgQEAgUGFzc1JlZlB0cjxY TUxQYXJzZXJDb250ZXh0PiBYTUxQYXJzZXJDbwogICAgIC8vIENvcHkgdGhlIHNheCBoYW5kbGVy CiAgICAgbWVtY3B5KHBhcnNlci0+c2F4LCBoYW5kbGVycywgc2l6ZW9mKHhtbFNBWEhhbmRsZXIp KTsKIAotICAgIC8vIFNldCBwYXJzZXIgb3B0aW9ucy4KLSAgICAvLyBYTUxfUEFSU0VfTk9ESUNU OiBkZWZhdWx0IGRpY3Rpb25hcnkgb3B0aW9uLgotICAgIC8vIFhNTF9QQVJTRV9OT0VOVDogZm9y Y2UgZW50aXRpZXMgc3Vic3RpdHV0aW9ucy4KICAgICB4bWxDdHh0VXNlT3B0aW9ucyhwYXJzZXIs IFhNTF9QQVJTRV9OT0RJQ1QgfCBYTUxfUEFSU0VfTk9FTlQpOwogCiAgICAgLy8gSW50ZXJuYWwg aW5pdGlhbGl6YXRpb24K