Improve XML sanitization in NOTIFYs, especially for presence subtypes and messages.

Embedded carriage return line feed combinations may appear in presence subtypes
and messages since they may be derived from user input in an instant messenger
client. As such, they need to be properly escaped so that XML parsers do not
vomit when the messages are received.

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@413372 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/res/res_pjsip/presence_xml.c b/res/res_pjsip/presence_xml.c
index 31e06eba4adac2edd27859ed57465aebf929c621..9ed07caa17d0cd182637fc6bc0c58561a0428052 100644 (file)
--- a/res/res_pjsip/presence_xml.c
+++ b/res/res_pjsip/presence_xml.c
@@ -43,7 +43,7 @@ void ast_sip_sanitize_xml(const char *input, char *output, size_t len)
 
        output[0] = '\0';
 
-       while ((break_point = strpbrk(copy, "<>\"&'"))) {
+       while ((break_point = strpbrk(copy, "<>\"&'\n\r"))) {
                char to_escape = *break_point;
 
                *break_point = '\0';
@@ -65,6 +65,12 @@ void ast_sip_sanitize_xml(const char *input, char *output, size_t len)
                case '\'':
                        strncat(output, "&apos;", len);
                        break;
+               case '\r':
+                       strncat(output, "&#13;", len);
+                       break;
+               case '\n':
+                       strncat(output, "&#10;", len);
+                       break;
                };
 
                copy = break_point + 1;

diff --git a/res/res_pjsip_pidf_digium_body_supplement.c b/res/res_pjsip_pidf_digium_body_supplement.c
index d1b2c6b56fbaccac8cb5fab811b6b5ccba154a2d..22cd01be76b021b986abc99a3edb4ced3e0074d7 100644 (file)
--- a/res/res_pjsip_pidf_digium_body_supplement.c
+++ b/res/res_pjsip_pidf_digium_body_supplement.c
@@ -40,6 +40,7 @@ static int pidf_supplement_body(void *body, void *data)
 {
        struct ast_sip_exten_state_data *state_data = data;
        pj_xml_node *node;
+       char sanitized[256];
 
        if (ast_strlen_zero(state_data->user_agent) ||
            !strstr(state_data->user_agent, "digium")) {
@@ -69,8 +70,8 @@ static int pidf_supplement_body(void *body, void *data)
        }
 
        if (!ast_strlen_zero(state_data->presence_message)) {
-                       pj_strdup2(state_data->pool, &node->content,
-                                  state_data->presence_message);
+               ast_sip_sanitize_xml(state_data->presence_message, sanitized, sizeof(sanitized));
+               pj_strdup2(state_data->pool, &node->content, sanitized);
        }
 
        ast_sip_presence_xml_create_attr(
@@ -78,9 +79,9 @@ static int pidf_supplement_body(void *body, void *data)
                        state_data->presence_state));
 
        if (!ast_strlen_zero(state_data->presence_subtype)) {
+               ast_sip_sanitize_xml(state_data->presence_subtype, sanitized, sizeof(sanitized));
                ast_sip_presence_xml_create_attr(
-                       state_data->pool, node, "subtype",
-                       state_data->presence_subtype);
+                       state_data->pool, node, "subtype", sanitized);
        }
 
        return 0;