clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 18:07:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
c283c3ab0b
php-src/ext/dom
History
Niels Dossche c283c3ab0b Sanitize libxml2 globals before parsing 
Fixes GHSA-3qrf-m4j2-pcrr.

To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.

Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.

Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().
2023-07-31 19:47:19 +01:00
..
tests Sanitize libxml2 globals before parsing 2023-07-31 19:47:19 +01:00
attr.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
cdatasection.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
characterdata.c Fix bug #80600 DOMChildNode::remove does not work on DOMCharacterData. 2021-02-02 20:26:52 +01:00
comment.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
config.m4 [RFC] Implement new DOM Living Standard APIs in ext/dom 2020-02-28 16:13:39 +01:00
config.w32 [RFC] Implement new DOM Living Standard APIs in ext/dom 2020-02-28 16:13:39 +01:00
CREDITS
document.c Sanitize libxml2 globals before parsing 2023-07-31 19:47:19 +01:00
documentfragment.c Sanitize libxml2 globals before parsing 2023-07-31 19:47:19 +01:00
documenttype.c Fix [-Wundef] warning in DOM extension 2020-05-16 15:31:15 +02:00
dom_ce.h Fix [-Wundef] warning in DOM extension 2020-05-16 15:31:15 +02:00
dom_iterators.c Add get_gc handle for object iterators 2020-07-01 15:17:22 +02:00
dom_properties.h Fix [-Wundef] warning in DOM extension 2020-05-16 15:31:15 +02:00
domexception.c Fix [-Wundef] warning in DOM extension 2020-05-16 15:31:15 +02:00
domexception.h Generate method entries for ext/dom 2020-04-13 00:13:11 +02:00
domimplementation.c Merge branch 'PHP-7.4' into PHP-8.0 2021-11-14 23:29:27 -08:00
element.c Merge branch 'PHP-7.4' into PHP-8.0 2021-09-13 12:13:09 +02:00
entity.c Fix [-Wundef] warning in DOM extension 2020-05-16 15:31:15 +02:00
entityreference.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
namednodemap.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
node.c Fix #79451: DOMDocument->replaceChild on doctype causes double free 2022-08-19 18:10:06 +02:00
nodelist.c Remove proto comments from C files 2020-07-06 21:13:34 +02:00
notation.c Fix [-Wundef] warning in DOM extension 2020-05-16 15:31:15 +02:00
parentnode.c Fix bug #80600 DOMChildNode::remove does not work on DOMCharacterData. 2021-02-02 20:26:52 +01:00
php_dom_arginfo.h Fix DOMNameSpaceNode casing 2021-08-05 09:02:31 +02:00
php_dom.c Merge branch 'PHP-7.4' into PHP-8.0 2021-03-17 12:40:03 +01:00
php_dom.h Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
php_dom.stub.php Fix DOMNameSpaceNode casing 2021-08-05 09:02:31 +02:00
processinginstruction.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
text.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00
xml_common.h Remove DOM_GET_THIS macro 2020-03-09 09:56:22 +01:00
xpath.c Promote warnings to error in DOM extension 2020-09-22 19:12:32 +01:00