--- /dev/null
+From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 15 Aug 2020 18:32:29 +0200
+Subject: [PATCH] Revert "Do not URI escape in server side includes"
+
+This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
+
+This commit introduced
+
+- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
+- an algorithm with quadratic runtime
+- a security issue, see
+ https://bugzilla.gnome.org/show_bug.cgi?id=769760
+
+A better approach is to add an option not to escape URLs at all
+which libxml2 should have possibly done in the first place.
+
+CVE: CVE-2016-3709
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ HTMLtree.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+diff --git a/HTMLtree.c b/HTMLtree.c
+index 8d236bb35..cdb7f86a6 100644
+--- a/HTMLtree.c
++++ b/HTMLtree.c
+@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
+ (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
+ ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
+ (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
++ xmlChar *escaped;
+ xmlChar *tmp = value;
+- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
+- xmlBufCCat(buf->buffer, "\"");
+
+ while (IS_BLANK_CH(*tmp)) tmp++;
+
+- /* URI Escape everything, except server side includes. */
+- for ( ; ; ) {
+- xmlChar *escaped;
+- xmlChar endChar;
+- xmlChar *end = NULL;
+- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
+- if (start != NULL) {
+- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
+- if (end != NULL) {
+- *start = '\0';
+- }
+- }
+-
+- /* Escape the whole string, or until start (set to '\0'). */
+- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
+- if (escaped != NULL) {
+- xmlBufCat(buf->buffer, escaped);
+- xmlFree(escaped);
+- } else {
+- xmlBufCat(buf->buffer, tmp);
+- }
+-
+- if (end == NULL) { /* Everything has been written. */
+- break;
+- }
+-
+- /* Do not escape anything within server side includes. */
+- *start = '<'; /* Restore the first character of "<!--". */
+- end += 3; /* strlen("-->") */
+- endChar = *end;
+- *end = '\0';
+- xmlBufCat(buf->buffer, start);
+- *end = endChar;
+- tmp = end;
++ /*
++ * the < and > have already been escaped at the entity level
++ * And doing so here breaks server side includes
++ */
++ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
++ if (escaped != NULL) {
++ xmlBufWriteQuotedString(buf->buffer, escaped);
++ xmlFree(escaped);
++ } else {
++ xmlBufWriteQuotedString(buf->buffer, value);
+ }
+-
+- xmlBufCCat(buf->buffer, "\"");
+ } else {
+ xmlBufWriteQuotedString(buf->buffer, value);
+ }
projects / thirdparty / openembedded / openembedded-core.git / commitdiff
