diff options
| author | Johan B. C. Engelen <jbc.engelen@swissonline.ch> | 2012-12-05 22:39:22 +0000 |
|---|---|---|
| committer | Johan B. C. Engelen <j.b.c.engelen@alumnus.utwente.nl> | 2012-12-05 22:39:22 +0000 |
| commit | bc29141167ff3df4b92d85edae209d3fb9ffab93 (patch) | |
| tree | c3e35038a6a0a68677b0a63b6ba4f4f1721f3ba4 /src | |
| parent | i18n. Improving windows's title internationalization (color mode wasn't corre... (diff) | |
| download | inkscape-bc29141167ff3df4b92d85edae209d3fb9ffab93.tar.gz inkscape-bc29141167ff3df4b92d85edae209d3fb9ffab93.zip | |
- fix security bug lp:1025185
- make network access optional for XML loading
Fixed bugs:
- https://launchpad.net/bugs/1025185
(bzr r11931)
Diffstat (limited to 'src')
| -rw-r--r-- | src/preferences-skeleton.h | 4 | ||||
| -rw-r--r-- | src/ui/dialog/ocaldialogs.cpp | 10 | ||||
| -rw-r--r-- | src/xml/repr-io.cpp | 8 |
3 files changed, 19 insertions, 3 deletions
diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h index 2cd391150..77ffe429a 100644 --- a/src/preferences-skeleton.h +++ b/src/preferences-skeleton.h @@ -337,6 +337,10 @@ static char const preferences_skeleton[] = " check_on_reading=\"0\" " " check_on_editing=\"0\" " " check_on_writing=\"0\"/>\n" +" <group id=\"externalresources\">\n" +" <group id=\"xml\" " +" allow_net_access=\"0\"/>\n" +" </group>\n" " <group id=\"forkgradientvectors\" value=\"1\"/>\n" " <group id=\"iconrender\" named_nodelay=\"0\"/>\n" " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n" diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp index 174f361fd..c7bff185c 100644 --- a/src/ui/dialog/ocaldialogs.cpp +++ b/src/ui/dialog/ocaldialogs.cpp @@ -1112,8 +1112,14 @@ void ImportDialog::on_xml_file_read(const Glib::RefPtr<Gio::AsyncResult>& result xmlDoc *doc = NULL; xmlNode *root_element = NULL; - doc = xmlReadMemory(data, (int) length, xml_uri.c_str(), NULL, - XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR); + int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185 + Inkscape::Preferences *prefs = Inkscape::Preferences::get(); + bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false); + if (!allowNetAccess) { + parse_options |= XML_PARSE_NONET; + } + + doc = xmlReadMemory(data, (int) length, xml_uri.c_str(), NULL, parse_options); if (doc == NULL) { // If nothing is returned, no results could be found diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp index 29a5b4a78..1258617c7 100644 --- a/src/xml/repr-io.cpp +++ b/src/xml/repr-io.cpp @@ -297,12 +297,18 @@ Document *sp_repr_read_file (const gchar * filename, const gchar *default_ns) XmlSource src; if ( (src.setFile(filename) == 0) ) { + int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185 + Inkscape::Preferences *prefs = Inkscape::Preferences::get(); + bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false); + if (!allowNetAccess) { + parse_options |= XML_PARSE_NONET; + } doc = xmlReadIO( XmlSource::readCb, XmlSource::closeCb, &src, localFilename, src.getEncoding(), - XML_PARSE_NOENT | XML_PARSE_HUGE); + parse_options); } } |