archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
php-src/ext/xsl
History
Exact
Niels Dossche 0675edb933
Sanitize libxml2 globals before parsing 
Fixes GHSA-3qrf-m4j2-pcrr.

To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.

Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.

Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().
2023-07-31 15:40:48 -05:00
..
tests Add some missing EXTENSIONS sections to misc tests 2021-06-14 14:52:44 +02:00
config.m4 ext/xsl: Use PKG_CHECK_MODULES to detect the EXSLT library 2019-06-07 09:35:14 +02:00
config.w32 Trim trailing whitespace in source code files 2018-10-13 14:17:28 +02:00
CREDITS
php_xsl.c Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
php_xsl.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
php_xsl.stub.php Declare tentative return types for ext/xsl 2021-05-25 19:15:44 +02:00
php_xsl_arginfo.h Declare tentative return types for ext/xsl 2021-05-25 19:15:44 +02:00
xsltprocessor.c Sanitize libxml2 globals before parsing 2023-07-31 15:40:48 -05:00