Bug 114377 - External XML entities are not loaded with modern libxml2
Summary: External XML entities are not loaded with modern libxml2
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexey Proskuryakov
Keywords: InRadar
: 104680 (view as bug list)
Depends on:
Reported: 2013-04-10 13:09 PDT by Alexey Proskuryakov
Modified: 2013-06-03 12:37 PDT (History)
2 users (show)

See Also:

proposed fix (2.69 KB, patch)
2013-04-10 13:18 PDT, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2013-04-10 13:09:07 PDT
With ToT libxml2, I'm seeing http/tests/security/xss-DENIED-xml-external-entity.xhtml fail because it doesn't even attempt to load the file, and thus doesn't generate a failure message.

Comment 1 Alexey Proskuryakov 2013-04-10 13:09:42 PDT
The change in behavior was <https://git.gnome.org/browse/libxml2/commit/?id=4629ee02>.
Comment 2 Alexey Proskuryakov 2013-04-10 13:18:35 PDT
Created attachment 197394 [details]
proposed fix

There are many differences between createStringParser and createMemoryParser. I'm only fixing one, because I don't know if any of the other differences are intentional.

Notably, I'm not adding XML_PARSE_NODICT - I checked the history, and I couldn't find the reason why createMemoryParser uses it.
Comment 3 Darin Adler 2013-04-10 13:24:21 PDT
Comment on attachment 197394 [details]
proposed fix

View in context: https://bugs.webkit.org/attachment.cgi?id=197394&action=review

> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:506
> +    xmlCtxtUseOptions(parser, XML_PARSE_NOENT);

It might be nice to have a comment explaining why this is the right option to use.

> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:531
>      // Copy the sax handler

Wow, lame comment.

> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:534
>      xmlCtxtUseOptions(parser, XML_PARSE_NODICT | XML_PARSE_NOENT);

It might still be nice to have a comment explaining why these are the right options to use.
Comment 4 Alexey Proskuryakov 2013-04-10 15:44:59 PDT
Committed <http://trac.webkit.org/r148144>. I changed comments a little, but I don't understand this code enough to explain everything about it.
Comment 5 Zan Dobersek 2013-06-03 12:37:53 PDT
*** Bug 104680 has been marked as a duplicate of this bug. ***