Hi Daniel,
The fix for the CVE-2014-0191 broke the --postvalid option. In that case, DTDs
are not loaded even though requested on the command line. This was the
CVE-2014-0191 patch:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
With --postvalid specified on the command line, the XML_PARSE_DTDVALID is not
set in ctxt->options; instead, XML_PARSE_DTDLOAD is set). Same goes for the
other options that set XML_PARSE_DTDLOAD, --dtdvalid and --dtdvalidfpi.
Patch attached.
Regards,
Alexey.
diff --git a/parser.c b/parser.c
index c0dea05..f368bb5 100644
--- a/parser.c
+++ b/parser.c
@@ -2608,6 +2608,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
((ctxt->options & XML_PARSE_NOENT) == 0) &&
((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
(ctxt->validate == 0))
return;
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
https://mail.gnome.org/mailman/listinfo/xml
