diff options
Diffstat (limited to 'main/lua-luaxml/0001-XML-attributes.patch')
-rw-r--r-- | main/lua-luaxml/0001-XML-attributes.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/main/lua-luaxml/0001-XML-attributes.patch b/main/lua-luaxml/0001-XML-attributes.patch new file mode 100644 index 00000000000..30d2b02f583 --- /dev/null +++ b/main/lua-luaxml/0001-XML-attributes.patch @@ -0,0 +1,55 @@ +From 0b7449ef614cd6514a7f81ebdc8f2171efee0ca9 Mon Sep 17 00:00:00 2001 +From: Alex Dowad <alexinbeijing@gmail.com> +Date: Thu, 24 Feb 2022 14:58:01 +0200 +Subject: [PATCH] Be strict about handling of malformed XML attributes + +This code was written by Natanael Copa. +--- + LuaXML_lib.c | 11 ++++++++++- + unittest.lua | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/LuaXML_lib.c b/LuaXML_lib.c +index 6c074de..ae330ee 100644 +--- a/LuaXML_lib.c ++++ b/LuaXML_lib.c +@@ -671,8 +671,17 @@ int Xml_eval(lua_State *L) { + // parse tag header + size_t sepPos = find(token, "=", 0); + if (token[sepPos]) { // regular attribute (key="value") +- const char *aVal = token + sepPos + 2; ++ const char *aVal = token + sepPos + 1; + lua_pushlstring(L, token, sepPos); ++ size_t lenVal = strlen(aVal); ++ ++ if (lenVal < 2 || ((aVal[0] != '"' && aVal[0] != '\'') || (aVal[lenVal-1] != '"' && aVal[lenVal-1] != '\''))) ++ luaL_error(L, "Malformed XML: attribute value not quoted in '%s'", token); ++ ++ // strip quote chars ++ aVal++; ++ lenVal -= 2; ++ + Xml_pushDecode(L, aVal, strlen(aVal) - 1); + lua_rawset(L, -3); + } +diff --git a/unittest.lua b/unittest.lua +index e179d91..1d16d7a 100644 +--- a/unittest.lua ++++ b/unittest.lua +@@ -162,5 +162,13 @@ function TestXml:test_transform() + lu.assertEquals(test, expected) + end + ++function TestXml:test_malformed_attribute() ++ -- malformed XML attribute ++ lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad=0></a>") ++ lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad=></a>") ++ lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad='></a>") ++ lu.assertErrorMsgContains("Malformed XML", xml.eval, '<a bad="></a>') ++end ++ + -- run test suite with verbose output + os.exit(lu.LuaUnit.run("-v")) +-- +2.25.1 + |