[libxml2] parser bug on misformed namespace attributes

From: Daniel Veillard <veillard src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] parser bug on misformed namespace attributes
Date: Mon, 6 Oct 2014 12:35:54 +0000 (UTC)

commit 7e9bbdf82f5ef65e2fdd4961ee4dbb62949e1f1f
Author: Dennis Filder <d filder web de>
Date:   Mon Oct 6 20:34:14 2014 +0800

    parser bug on misformed namespace attributes
    
    For https://bugzilla.gnome.org/show_bug.cgi?id=672539
    Reported by Axel Miller <axel miller ppi de>
    
    Consider the following start-tag:
    <x xmlns=""version="">
    
    The start-tag does not conform to the rule
    
    [40]       STag       ::=       '<' Name (S Attribute)* S? '>'
    
    since there is no whitespace in front of the attribute "version".
    
    Thus, libxml2 should reject the start-tag.
    But it doesn't:
    
    $ echo '<x xmlns=""version=""/>' | xmllint -
    <?xml version="1.0"?>
    <x xmlns="" version=""/>
    
    The error seems to happen only if there is a namespace declaration in
    front of
    the attribute. A missing whitespace between other attributes is handled
    correctly:
    
    $ echo '<x someattr=""version=""/>' | xmllint -
    -:1: parser error : attributes construct error
    <x someattr=""version=""/>
                  ^
    [...]

 parser.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)
---
diff --git a/parser.c b/parser.c
index 3de828b..2ef2c3b 100644
--- a/parser.c
+++ b/parser.c
@@ -9386,6 +9386,13 @@ reparse:
                    if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
 skip_default_ns:
                if (alloc != 0) xmlFree(attvalue);
+               if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+                   break;
+               if (!IS_BLANK_CH(RAW)) {
+                   xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+                                  "attributes construct error\n");
+                   break;
+               }
                SKIP_BLANKS;
                continue;
            }
@@ -9459,6 +9466,13 @@ skip_default_ns:
                    if (nsPush(ctxt, attname, URL) > 0) nbNs++;
 skip_ns:
                if (alloc != 0) xmlFree(attvalue);
+               if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+                   break;
+               if (!IS_BLANK_CH(RAW)) {
+                   xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+                                  "attributes construct error\n");
+                   break;
+               }
                SKIP_BLANKS;
                if (ctxt->input->base != base) goto base_changed;
                continue;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]