1From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001 2From: Sebastian Pipping <sebastian@pipping.org> 3Date: Sat, 12 Feb 2022 01:09:29 +0100 4Subject: [PATCH] lib: Protect against malicious namespace declarations 5 (CVE-2022-25236) 6 7--- 8 lib/xmlparse.c | 11 +++++++++++ 9 1 file changed, 11 insertions(+) 10 11diff --git a/lib/xmlparse.c b/lib/xmlparse.c 12index c768f856..a3aef88c 100644 13--- a/lib/xmlparse.c 14+++ b/lib/xmlparse.c 15@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, 16 if (! mustBeXML && isXMLNS 17 && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) 18 isXMLNS = XML_FALSE; 19+ 20+ // NOTE: While Expat does not validate namespace URIs against RFC 3986, 21+ // we have to at least make sure that the XML processor on top of 22+ // Expat (that is splitting tag names by namespace separator into 23+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused 24+ // by an attacker putting additional namespace separator characters 25+ // into namespace declarations. That would be ambiguous and not to 26+ // be expected. 27+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { 28+ return XML_ERROR_SYNTAX; 29+ } 30 } 31 isXML = isXML && len == xmlLen; 32 isXMLNS = isXMLNS && len == xmlnsLen; 33