mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
c283c3ab0b
Fixes GHSA-3qrf-m4j2-pcrr. To parse a document with libxml2, you first need to create a parsing context. The parsing context contains parsing options (e.g. XML_NOENT to substitute entities) that the application (in this case PHP) can set. Unfortunately, libxml2 also supports providing default set options. For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT option will be added to the parsing options every time you create a parsing context **even if the application never requested XML_NOENT**. Third party extensions can override these globals, in particular the substitute entity global. This causes entity substitution to be unexpectedly active. Fix it by setting the parsing options to a sane known value. For API calls that depend on global state we introduce PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS(). For other APIs that work directly with a context we introduce php_libxml_sanitize_parse_ctxt_options(). |
||
---|---|---|
.. | ||
tests | ||
attr.c | ||
cdatasection.c | ||
characterdata.c | ||
comment.c | ||
config.m4 | ||
config.w32 | ||
CREDITS | ||
document.c | ||
documentfragment.c | ||
documenttype.c | ||
dom_ce.h | ||
dom_iterators.c | ||
dom_properties.h | ||
domexception.c | ||
domexception.h | ||
domimplementation.c | ||
element.c | ||
entity.c | ||
entityreference.c | ||
namednodemap.c | ||
node.c | ||
nodelist.c | ||
notation.c | ||
parentnode.c | ||
php_dom_arginfo.h | ||
php_dom.c | ||
php_dom.h | ||
php_dom.stub.php | ||
processinginstruction.c | ||
text.c | ||
xml_common.h | ||
xpath.c |