[CVE-2024-40896] Fix XXE protection in downstream code

Some users set an entity's children manually in the getEntity SAX callback to restrict entity expansion. This stopped working after renaming the "checked" member of xmlEntity, making at least one downstream project and its dependants susceptible to XXE attacks. See #761.
2025-03-31 06:50:06 +03:00 · 2024-07-06 01:03:46 +02:00 · 2024-07-06 01:03:46 +02:00 · 1a89323039
commit 1a89323039
parent 6cc2387e1a
1 changed files with 8 additions and 0 deletions
--- a/parser.c
+++ b/parser.c
@ -7379,6 +7379,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
 	return;
    }

+    /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
    /*
     * The first reference to the entity trigger a parsing phase
     * where the ent->children is filled with the result from