From ea03b56f916419aebe22f51962d6b24c0f737124 Mon Sep 17 00:00:00 2001 From: Marc Cromme Date: Wed, 7 Mar 2007 14:18:35 +0000 Subject: [PATCH] Added always the XML parsing flag XML_PARSE_NONET to any XML_PARSE_XINCLUDE to avoid spoofing Zebra to fetch megabyte from an external xincluded url. pretty normal safety thing to do, we just did forget before. --- index/alvis.c | 20 ++++++++++++++------ index/mod_dom.c | 13 ++++++++----- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/index/alvis.c b/index/alvis.c index 4ae6140..c926129 100644 --- a/index/alvis.c +++ b/index/alvis.c @@ -1,4 +1,4 @@ -/* $Id: alvis.c,v 1.13 2007-02-18 21:50:52 adam Exp $ +/* $Id: alvis.c,v 1.14 2007-03-07 14:18:35 marc Exp $ Copyright (C) 1995-2007 Index Data ApS @@ -508,7 +508,9 @@ static int extract_split(struct filter_info *tinfo, struct recExtractCtrl *p) p /* I/O handler */, 0 /* URL */, 0 /* encoding */, - XML_PARSE_XINCLUDE|XML_PARSE_NOENT); + XML_PARSE_XINCLUDE + | XML_PARSE_NOENT + | XML_PARSE_NONET); } if (!tinfo->reader) return RECCTRL_EXTRACT_ERROR_GENERIC; @@ -551,11 +553,17 @@ static int extract_full(struct filter_info *tinfo, struct recExtractCtrl *p) xmlDocPtr doc = xmlReadIO(ioread_ex, ioclose_ex, p /* I/O handler */, 0 /* URL */, 0 /* encoding */, - XML_PARSE_XINCLUDE|XML_PARSE_NOENT); + XML_PARSE_XINCLUDE + | XML_PARSE_NOENT + | XML_PARSE_NONET); if (!doc) - { return RECCTRL_EXTRACT_ERROR_GENERIC; - } + /* else { + xmlNodePtr root = xmlDocGetRootElement(doc); + if (!root) + return RECCTRL_EXTRACT_ERROR_GENERIC; + } */ + return extract_doc(tinfo, p, doc); } else @@ -695,7 +703,7 @@ static int filter_retrieve (void *clientData, struct recRetrieveCtrl *p) doc = xmlReadIO(ioread_ret, ioclose_ret, p /* I/O handler */, 0 /* URL */, 0 /* encoding */, - XML_PARSE_XINCLUDE|XML_PARSE_NOENT); + XML_PARSE_XINCLUDE | XML_PARSE_NOENT | XML_PARSE_NONET); if (!doc) { p->diagnostic = YAZ_BIB1_SYSTEM_ERROR_IN_PRESENTING_RECORDS; diff --git a/index/mod_dom.c b/index/mod_dom.c index 131c09a..b1555d7 100644 --- a/index/mod_dom.c +++ b/index/mod_dom.c @@ -1,5 +1,5 @@ -/* $Id: mod_dom.c,v 1.29 2007-03-06 12:09:44 adam Exp $ +/* $Id: mod_dom.c,v 1.30 2007-03-07 14:18:35 marc Exp $ Copyright (C) 1995-2007 Index Data ApS @@ -1142,8 +1142,9 @@ static int extract_xml_split(struct filter_info *tinfo, p /* I/O handler */, 0 /* URL */, 0 /* encoding */, - XML_PARSE_XINCLUDE| - XML_PARSE_NOENT); + XML_PARSE_XINCLUDE + | XML_PARSE_NOENT + | XML_PARSE_NONET); } if (!input->u.xmlreader.reader) return RECCTRL_EXTRACT_ERROR_GENERIC; @@ -1210,7 +1211,9 @@ static int extract_xml_full(struct filter_info *tinfo, p /* I/O handler */, 0 /* URL */, 0 /* encoding */, - XML_PARSE_XINCLUDE|XML_PARSE_NOENT); + XML_PARSE_XINCLUDE + | XML_PARSE_NOENT + | XML_PARSE_NONET); if (!doc) { return RECCTRL_EXTRACT_ERROR_GENERIC; @@ -1369,7 +1372,7 @@ static int filter_retrieve (void *clientData, struct recRetrieveCtrl *p) doc = xmlReadIO(ioread_ret, ioclose_ret, p /* I/O handler */, 0 /* URL */, 0 /* encoding */, - XML_PARSE_XINCLUDE|XML_PARSE_NOENT); + XML_PARSE_XINCLUDE | XML_PARSE_NOENT | XML_PARSE_NONET); if (!doc) { p->diagnostic = YAZ_BIB1_SYSTEM_ERROR_IN_PRESENTING_RECORDS; -- 1.7.10.4