Hi,
We have noticed in oscap 1.2.6, that when the SCE output contains
certain control characters it causes the html report creation to fail.
The issue arises since libxml2 rejects invalid characters.
In the ASCII character set, only HT, NL, CR, the blank
and beyond are accepted: all other control characters
are rejected.
Within oscap, the function src/common/oscap_acquire.c:
oscap_acquire_pipe_to_string() is used to "sanitize"
the output to be incorporated into xml files, with the
comment:
// & is a special case, we have to "escape" it manually
// (all else will eventually get handled by libxml)
Unfortunately, libxml *doesn't* handle control characters.
Probably this function should be extended to convert control
characters other than HT, NL, and CR to some safe representation.
Note that the Unicode entity form (�xx;) won't work since
libxml converts this back to an invalid input character.
The patch that we did to fix this issue is as follows:
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index a670dd2..c3c032e 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -192,6 +192,15 @@ oscap_acquire_pipe_to_string(int fd)
// & is a special case, we have to "escape" it manually
// (all else will eventually get handled by libxml)
oscap_string_append_string(pipe_string, "&");
+ } else if (readbuf < 0x20 && !(readbuf == '\t' ||
+ readbuf == '\n' || readbuf == '\r')) {
+ // libxml doesn't tolerate most control characters
+ // in its input stream, reformat
+ char tranbuf[5];
+
+ snprintf(tranbuf, sizeof(tranbuf), "\\%03o", readbuf);
+ oscap_string_append_string(pipe_string, tranbuf);
+
} else {
oscap_string_append_char(pipe_string, readbuf);
}
--
2.6.1
Please let me know if this is acceptable.
Thank you,
Jacob.
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
