aboutsummaryrefslogtreecommitdiffstats
path: root/main/lua-luaxml/0001-XML-attributes.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/lua-luaxml/0001-XML-attributes.patch')
-rw-r--r--main/lua-luaxml/0001-XML-attributes.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/main/lua-luaxml/0001-XML-attributes.patch b/main/lua-luaxml/0001-XML-attributes.patch
new file mode 100644
index 00000000000..30d2b02f583
--- /dev/null
+++ b/main/lua-luaxml/0001-XML-attributes.patch
@@ -0,0 +1,55 @@
+From 0b7449ef614cd6514a7f81ebdc8f2171efee0ca9 Mon Sep 17 00:00:00 2001
+From: Alex Dowad <alexinbeijing@gmail.com>
+Date: Thu, 24 Feb 2022 14:58:01 +0200
+Subject: [PATCH] Be strict about handling of malformed XML attributes
+
+This code was written by Natanael Copa.
+---
+ LuaXML_lib.c | 11 ++++++++++-
+ unittest.lua | 8 ++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/LuaXML_lib.c b/LuaXML_lib.c
+index 6c074de..ae330ee 100644
+--- a/LuaXML_lib.c
++++ b/LuaXML_lib.c
+@@ -671,8 +671,17 @@ int Xml_eval(lua_State *L) {
+ // parse tag header
+ size_t sepPos = find(token, "=", 0);
+ if (token[sepPos]) { // regular attribute (key="value")
+- const char *aVal = token + sepPos + 2;
++ const char *aVal = token + sepPos + 1;
+ lua_pushlstring(L, token, sepPos);
++ size_t lenVal = strlen(aVal);
++
++ if (lenVal < 2 || ((aVal[0] != '"' && aVal[0] != '\'') || (aVal[lenVal-1] != '"' && aVal[lenVal-1] != '\'')))
++ luaL_error(L, "Malformed XML: attribute value not quoted in '%s'", token);
++
++ // strip quote chars
++ aVal++;
++ lenVal -= 2;
++
+ Xml_pushDecode(L, aVal, strlen(aVal) - 1);
+ lua_rawset(L, -3);
+ }
+diff --git a/unittest.lua b/unittest.lua
+index e179d91..1d16d7a 100644
+--- a/unittest.lua
++++ b/unittest.lua
+@@ -162,5 +162,13 @@ function TestXml:test_transform()
+ lu.assertEquals(test, expected)
+ end
+
++function TestXml:test_malformed_attribute()
++ -- malformed XML attribute
++ lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad=0></a>")
++ lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad=></a>")
++ lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad='></a>")
++ lu.assertErrorMsgContains("Malformed XML", xml.eval, '<a bad="></a>')
++end
++
+ -- run test suite with verbose output
+ os.exit(lu.LuaUnit.run("-v"))
+--
+2.25.1
+
generated by cgit v1.2.3 (git 2.41.0) at 2024-04-24 22:28:25 +0000