END_TEST
/* Regression test for SF bug #483514. */
START_TEST(test_dtd_default_handling)
{
char *text =
"<!DOCTYPE doc [\n"
"<!ENTITY e SYSTEM 'http://xml.libexpat.org/e'>\n"
"<!NOTATION n SYSTEM 'http://xml.libexpat.org/n'>\n"
"<!ELEMENT doc EMPTY>\n"
"<!ATTLIST doc a CDATA #IMPLIED>\n"
"<?pi in dtd?>\n"
"<!--comment in dtd-->\n"
"]><doc/>";
XML_SetDefaultHandler(parser, accumulate_characters);
XML_SetDoctypeDeclHandler(parser,
dummy_start_doctype_handler,
dummy_end_doctype_handler);
XML_SetEntityDeclHandler(parser, dummy_entity_decl_handler);
XML_SetNotationDeclHandler(parser, dummy_notation_decl_handler);
XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
XML_SetAttlistDeclHandler(parser, dummy_attlist_decl_handler);
XML_SetProcessingInstructionHandler(parser, dummy_pi_handler);
XML_SetCommentHandler(parser, dummy_comment_handler);
run_character_check(text, "\n\n\n\n\n\n\n<doc/>");
}
void ParserEngine::init()
{
if (_parser)
XML_ParserFree(_parser);
if (!_pBuffer)
_pBuffer = new char[PARSE_BUFFER_SIZE];
if (dynamic_cast<NoNamespacePrefixesStrategy*>(_pNamespaceStrategy))
{
_parser = XML_ParserCreateNS(_encodingSpecified ? _encoding.c_str() : 0, '\t');
if (_parser)
{
XML_SetNamespaceDeclHandler(_parser, handleStartNamespaceDecl, handleEndNamespaceDecl);
}
}
else if (dynamic_cast<NamespacePrefixesStrategy*>(_pNamespaceStrategy))
{
_parser = XML_ParserCreateNS(_encodingSpecified ? _encoding.c_str() : 0, '\t');
if (_parser)
{
XML_SetReturnNSTriplet(_parser, 1);
XML_SetNamespaceDeclHandler(_parser, handleStartNamespaceDecl, handleEndNamespaceDecl);
}
}
else
{
_parser = XML_ParserCreate(_encodingSpecified ? _encoding.c_str() : 0);
}
if (!_parser) throw XMLException("Cannot create Expat parser");
XML_SetUserData(_parser, this);
XML_SetElementHandler(_parser, handleStartElement, handleEndElement);
XML_SetCharacterDataHandler(_parser, handleCharacterData);
XML_SetProcessingInstructionHandler(_parser, handleProcessingInstruction);
if (_expandInternalEntities)
XML_SetDefaultHandlerExpand(_parser, handleDefault);
else
XML_SetDefaultHandler(_parser, handleDefault);
XML_SetUnparsedEntityDeclHandler(_parser, handleUnparsedEntityDecl);
XML_SetNotationDeclHandler(_parser, handleNotationDecl);
XML_SetExternalEntityRefHandler(_parser, handleExternalEntityRef);
XML_SetCommentHandler(_parser, handleComment);
XML_SetCdataSectionHandler(_parser, handleStartCdataSection, handleEndCdataSection);
XML_SetDoctypeDeclHandler(_parser, handleStartDoctypeDecl, handleEndDoctypeDecl);
XML_SetEntityDeclHandler(_parser, handleEntityDecl);
XML_SetSkippedEntityHandler(_parser, handleSkippedEntity);
XML_SetParamEntityParsing(_parser, _externalParameterEntities ? XML_PARAM_ENTITY_PARSING_ALWAYS : XML_PARAM_ENTITY_PARSING_NEVER);
XML_SetUnknownEncodingHandler(_parser, handleUnknownEncoding, this);
}
void
OMXMLReaderExpat::reset()
{
TRACE("OMXMLReaderExpat::reset");
XML_ParserFree(_parser);
if (_workBuffer != 0)
{
delete [] _workBuffer;
}
OMListIterator<OMXMLAttribute*> iter(_attributes, OMBefore);
while (++iter)
{
delete iter.value();
}
_attributes.clear();
OMUInt32 elementCount = _startNmspaceDecls.count();
for (OMUInt32 i = 0; i < elementCount; i++)
{
delete _startNmspaceDecls.getAt(i);
}
_startNmspaceDecls.clear();
_endNmspaceDecls.clear();
clearEvents();
_parser = XML_ParserCreateNS(0, NAMESPACE_SEPARATOR);
XML_SetNotationDeclHandler(_parser, ::expat_NotationDeclHandler);
XML_SetEntityDeclHandler(_parser, ::expat_EntityDeclHandler);
XML_SetStartNamespaceDeclHandler(_parser, ::expat_StartNamespaceDeclHandler);
XML_SetEndNamespaceDeclHandler(_parser, ::expat_EndNamespaceDeclHandler);
XML_SetStartElementHandler(_parser, ::expat_StartElementHandler);
XML_SetEndElementHandler(_parser, ::expat_EndElementHandler);
XML_SetCharacterDataHandler(_parser, ::expat_CharacterDataHandler);
XML_SetUserData(_parser, this);
_workBuffer = new wchar_t[WORK_BUFFER_MIN_SIZE];
_workBufferSize = WORK_BUFFER_MIN_SIZE;
_readNextChunk = true;
_status = true;
_numInBuffer = 0;
_xmlStream->setPosition(0);
}
bool_t reset_handlers_parser(parser_t *parser) {
if( parser ) {
XML_SetStartElementHandler(parser->p, parser->callbacks.start_tag ?
xml_startelementhandler : NULL);
XML_SetEndElementHandler(parser->p, parser->callbacks.end_tag ?
xml_endelementhandler : NULL);
XML_SetCommentHandler(parser->p, parser->callbacks.comment ?
xml_commenthandler : NULL);
XML_SetCharacterDataHandler(parser->p, parser->callbacks.chardata ?
xml_characterdatahandler : NULL);
XML_SetProcessingInstructionHandler(parser->p, parser->callbacks.pidata ?
xml_processinginstructionhandler : NULL);
XML_SetStartCdataSectionHandler(parser->p, parser->callbacks.start_cdata ?
xml_startcdatahandler : NULL);
/* if start_cdata, always set endcdatahandler */
XML_SetEndCdataSectionHandler(parser->p, parser->callbacks.start_cdata ?
xml_endcdatahandler : NULL);
XML_SetDefaultHandler(parser->p, parser->callbacks.dfault ?
xml_defaulthandler : NULL);
XML_SetStartDoctypeDeclHandler(parser->p, parser->callbacks.start_doctypedecl ?
xml_startdoctypedeclhandler : NULL);
/* if start_doctypedecl, always set enddoctypedeclhandler */
XML_SetEndDoctypeDeclHandler(parser->p, parser->callbacks.start_doctypedecl ?
xml_enddoctypedeclhandler : NULL);
XML_SetEntityDeclHandler(parser->p, parser->callbacks.entitydecl ?
xml_entitydeclhandler : NULL);
/* what to do about entities: there can be internal and external
* entities, which expat treats differently. We want all our
* entities to stay unprocessed, otherwise we'll get well formedness
* errors. When a handler is called, the raw string is passed to
* the default handler (provided it exists). */
XML_UseForeignDTD(parser->p, XML_TRUE);
XML_SetParamEntityParsing(parser->p, XML_PARAM_ENTITY_PARSING_NEVER);
XML_SetExternalEntityRefHandler(parser->p,
xml_externalentityrefhandler);
XML_SetExternalEntityRefHandlerArg(parser->p, parser);
XML_SetSkippedEntityHandler(parser->p, xml_skippedentityhandler);
return TRUE;
}
return FALSE;
}
nad_t nad_parse(const char *buf, int len) {
struct build_data bd;
XML_Parser p;
if(len == 0)
len = strlen(buf);
p = XML_ParserCreateNS(NULL, '|');
if(p == NULL)
return NULL;
bd.p = p;
XML_SetReturnNSTriplet(p, 1);
/* Prevent the "billion laughs" attack against expat by disabling
* internal entity expansion. With 2.x, forcibly stop the parser
* if an entity is declared - this is safer and a more obvious
* failure mode. With older versions, simply prevent expenansion
* of such entities. */
#ifdef HAVE_XML_STOPPARSER
XML_SetEntityDeclHandler(p, (void *) _nad_parse_entity_declaration);
#else
XML_SetDefaultHandler(p, NULL);
#endif
bd.nad = nad_new();
bd.depth = 0;
XML_SetUserData(p, (void *) &bd);
XML_SetElementHandler(p, _nad_parse_element_start, _nad_parse_element_end);
XML_SetCharacterDataHandler(p, _nad_parse_cdata);
XML_SetStartNamespaceDeclHandler(p, _nad_parse_namespace_start);
if(!XML_Parse(p, buf, len, 1)) {
XML_ParserFree(p);
nad_free(bd.nad);
return NULL;
}
XML_ParserFree(p);
if(bd.depth != 0)
return NULL;
return bd.nad;
}
APR_DECLARE(apr_xml_parser *) apr_xml_parser_create_ex(apr_pool_t *pool,
void *start_func, void *end_func, void *cdata_func)
{
apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
parser->impl = apr_xml_get_parser_impl();
parser->p = pool;
parser->doc = apr_pcalloc(pool, sizeof(*parser->doc));
parser->doc->namespaces = apr_array_make(pool, 5, sizeof(const char *));
/* ### is there a way to avoid hard-coding this? */
apr_xml_insert_uri(parser->doc->namespaces, APR_KW_DAV);
parser->xp = XML_ParserCreate(NULL);
if (parser->xp == NULL) {
(*apr_pool_abort_get(pool))(APR_ENOMEM);
return NULL;
}
apr_pool_cleanup_register(pool, parser, cleanup_parser,
apr_pool_cleanup_null);
XML_SetUserData(parser->xp, parser);
XML_SetElementHandler(parser->xp, start_func, end_func);
XML_SetCharacterDataHandler(parser->xp, cdata_func);
/* Prevent the "billion laughs" attack against expat by disabling
* internal entity expansion. With 2.x, forcibly stop the parser
* if an entity is declared - this is safer and a more obvious
* failure mode. With older versions, installing a noop
* DefaultHandler means that internal entities will be expanded as
* the empty string, which is also sufficient to prevent the
* attack. */
#if XML_MAJOR_VERSION > 1
XML_SetEntityDeclHandler(parser->xp, entity_declaration);
#else
XML_SetDefaultHandler(parser->xp, default_handler);
#endif
return parser;
}
bool SkXMLParser::parse(SkStream& docStream)
{
ParsingContext ctx(this);
if (!ctx.fXMLParser) {
SkDebugf("could not create XML parser\n");
return false;
}
XML_SetUserData(ctx.fXMLParser, &ctx);
XML_SetElementHandler(ctx.fXMLParser, start_element_handler, end_element_handler);
XML_SetCharacterDataHandler(ctx.fXMLParser, text_handler);
// Disable entity processing, to inhibit internal entity expansion. See expat CVE-2013-0340.
XML_SetEntityDeclHandler(ctx.fXMLParser, entity_decl_handler);
static const int kBufferSize = 512 SkDEBUGCODE( - 507);
bool done = false;
do {
void* buffer = XML_GetBuffer(ctx.fXMLParser, kBufferSize);
if (!buffer) {
SkDebugf("could not buffer enough to continue\n");
return false;
}
size_t len = docStream.read(buffer, kBufferSize);
done = docStream.isAtEnd();
XML_Status status = XML_ParseBuffer(ctx.fXMLParser, SkToS32(len), done);
if (XML_STATUS_ERROR == status) {
XML_Error error = XML_GetErrorCode(ctx.fXMLParser);
int line = XML_GetCurrentLineNumber(ctx.fXMLParser);
int column = XML_GetCurrentColumnNumber(ctx.fXMLParser);
const XML_LChar* errorString = XML_ErrorString(error);
SkDebugf("parse error @%d:%d: %d (%s).\n", line, column, error, errorString);
return false;
}
} while (!done);
return true;
}
OMXMLReaderExpat::OMXMLReaderExpat(OMRawStorage* xmlStream)
: _appendData(false), _xmlStream(xmlStream), _parser(0)
{
TRACE("OMXMLReaderExpat::OMXMLReaderExpat");
clearEvents();
_parser = XML_ParserCreateNS(0, NAMESPACE_SEPARATOR);
XML_SetNotationDeclHandler(_parser, ::expat_NotationDeclHandler);
XML_SetEntityDeclHandler(_parser, ::expat_EntityDeclHandler);
XML_SetStartNamespaceDeclHandler(_parser, ::expat_StartNamespaceDeclHandler);
XML_SetEndNamespaceDeclHandler(_parser, ::expat_EndNamespaceDeclHandler);
XML_SetStartElementHandler(_parser, ::expat_StartElementHandler);
XML_SetEndElementHandler(_parser, ::expat_EndElementHandler);
XML_SetCharacterDataHandler(_parser, ::expat_CharacterDataHandler);
XML_SetUserData(_parser, this);
_workBuffer = new wchar_t[WORK_BUFFER_MIN_SIZE];
_workBufferSize = WORK_BUFFER_MIN_SIZE;
_readNextChunk = true;
_status = true;
_numInBuffer = 0;
}
void _Expat_XML_SetEntityDeclHandler(struct ExpatIFace * Self, XML_Parser parser, XML_EntityDeclHandler handler)
{
XML_SetEntityDeclHandler(parser, handler);
}
am_config_t *am_parse_config_xml(unsigned long instance_id, const char *xml, size_t xml_sz, char log_enable) {
const char *thisfunc = "am_parse_config_xml():";
am_config_t *r = NULL;
char *begin, *stream = NULL;
size_t data_sz;
pcre *x = NULL;
const char *error = NULL;
int erroroffset;
am_xml_parser_ctx_t xctx = {.depth = 0, .setting_value = 0,
.conf = NULL, .rgx = NULL, .parser = NULL, .log_enable = log_enable};
if (xml == NULL || xml_sz == 0) {
am_log_error(instance_id, "%s memory allocation error", thisfunc);
return NULL;
}
/*match [key]=value returned within <value>[key]=value_of_a_key</value> element*/
x = pcre_compile("(?<=\\[)(.+?)(?=\\])\\]\\s*\\=\\s*(.+)", 0, &error, &erroroffset, NULL);
if (x == NULL) {
am_log_error(instance_id, "%s pcre error %s", thisfunc, error == NULL ? "" : error);
}
r = calloc(1, sizeof (am_config_t));
if (r == NULL) {
am_log_error(instance_id, "%s memory allocation error", thisfunc);
pcre_free(x);
return NULL;
}
r->instance_id = instance_id;
begin = strstr(xml, "![CDATA[");
if (begin != NULL) {
char *end = strstr(begin + 8, "]]>");
if (end != NULL) {
stream = begin + 8;
data_sz = end - (begin + 8);
}
} else {
/*no CDATA*/
stream = (char *) xml;
data_sz = xml_sz;
}
if (stream != NULL && data_sz > 0) {
XML_Parser parser = XML_ParserCreate("UTF-8");
xctx.parser = &parser;
xctx.conf = r;
xctx.rgx = x;
XML_SetUserData(parser, &xctx);
XML_SetElementHandler(parser, start_element, end_element);
XML_SetCharacterDataHandler(parser, character_data);
XML_SetEntityDeclHandler(parser, entity_declaration);
if (XML_Parse(parser, stream, (int) data_sz, XML_TRUE) == XML_STATUS_ERROR) {
const char *message = XML_ErrorString(XML_GetErrorCode(parser));
int line = XML_GetCurrentLineNumber(parser);
int col = XML_GetCurrentColumnNumber(parser);
am_log_error(instance_id, "%s xml parser error (%d:%d) %s", thisfunc,
line, col, message);
am_config_free(&r);
r = NULL;
} else {
r->ts = time(NULL);
}
XML_ParserFree(parser);
}
pcre_free(x);
return r;
}
void bmx_expat_XML_SetEntityDeclHandler(XML_Parser parser) {
XML_SetEntityDeclHandler(parser, bmx_expat_EntityDeclHandler);
}