NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit4c9bf94

committed

Replace usages of xmlXPathCompile() with xmlXPathCtxtCompile().

In existing releases of libxml2, xmlXPathCompile can be drivento stack overflow because it fails to protect itself againsttoo-deeply-nested input. While there is an upstream fix as ofyesterday, it will take years for that to propagate into allshipping versions. In the meantime, we can protect our ownusages basically for free by calling xmlXPathCtxtCompile instead.(The actual bug is that libxml2 keeps its nesting counter in thexmlXPathContext, and its parsing code was willing to just skipcounting nesting levels if it didn't have a context. So if we supplya context, all is well. It seems odd actually that it works at allto not supply a context, because this means that XPath parsing doesnot have access to XML namespace info. Apparently libxml2 neverchecks namespaces until runtime? Anyway, this seems like goodfuture-proofing even if its only immediate effect is to dodge a bug.)Sadly, this hack only offers protection with libxml2 2.9.11 and newer.Before that there are multiple similar problems, so if you areprocessing untrusted XML it behooves you to get a newer version.But we have some pretty old libxml2 in the buildfarm, so it seemsimpractical to add a regression test to verify this fix.Per bug #18617 from Jingzhou Fu. Back-patch to all supportedversions.Discussion:https://postgr.es/m/18617-1cee4d2ed1f4e7ae@postgresql.orgDiscussion:https://gitlab.gnome.org/GNOME/libxml2/-/issues/799

1 parent121a03d commit4c9bf94Copy full SHA for 4c9bf94

File tree

2 files changed

+17

-5

lines changed

contrib/xml2
- xpath.c
src/backend/utils/adt
- xml.c

2 files changed

+17

-5

lines changed

`‎contrib/xml2/xpath.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -386,7 +386,7 @@ pgxml_xpath(text document, xmlChar xpath, xpath_workspace *workspace)`
`386`	`386`	`workspace->ctxt->node=xmlDocGetRootElement(workspace->doctree);`
`387`	`387`
`388`	`388`	`/* compile the path */`
`389`		`-comppath=xmlXPathCompile(xpath);`
	`389`	`+comppath=xmlXPathCtxtCompile(workspace->ctxt,xpath);`
`390`	`390`	`if (comppath==NULL)`
`391`	`391`	`xml_ereport(xmlerrcxt,ERROR,ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,`
`392`	`392`	`"XPath Syntax Error");`
`@@ -650,7 +650,7 @@ xpath_table(PG_FUNCTION_ARGS)`
`650`	`650`	`ctxt->node=xmlDocGetRootElement(doctree);`
`651`	`651`
`652`	`652`	`/* compile the path */`
`653`		`-comppath=xmlXPathCompile(xpaths[j]);`
	`653`	`+comppath=xmlXPathCtxtCompile(ctxt,xpaths[j]);`
`654`	`654`	`if (comppath==NULL)`
`655`	`655`	`xml_ereport(xmlerrcxt,ERROR,`
`656`	`656`	`ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,`

`‎src/backend/utils/adt/xml.c`

Lines changed: 15 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -4429,7 +4429,13 @@ xpath_internal(text xpath_expr_text, xmltype data, ArrayType *namespaces,`
`4429`	`4429`	`}`
`4430`	`4430`	`}`
`4431`	`4431`
`4432`		`-xpathcomp=xmlXPathCompile(xpath_expr);`
	`4432`	`+/*`
	`4433`	`+ * Note: here and elsewhere, be careful to use xmlXPathCtxtCompile not`
	`4434`	`+ * xmlXPathCompile. In libxml2 2.13.3 and older, the latter function`
	`4435`	`+ * fails to defend itself against recursion-to-stack-overflow. See`
	`4436`	`+ * https://gitlab.gnome.org/GNOME/libxml2/-/issues/799`
	`4437`	`+ */`
	`4438`	`+xpathcomp=xmlXPathCtxtCompile(xpathctx,xpath_expr);`
`4433`	`4439`	`if (xpathcomp==NULL\|\|xmlerrcxt->err_occurred)`
`4434`	`4440`	`xml_ereport(xmlerrcxt,ERROR,ERRCODE_INTERNAL_ERROR,`
`4435`	`4441`	`"invalid XPath expression");`
`@@ -4800,7 +4806,10 @@ XmlTableSetRowFilter(TableFuncScanState state, const char path)`
`4800`	`4806`
`4801`	`4807`	`xstr=pg_xmlCharStrndup(path,strlen(path));`
`4802`	`4808`
`4803`		`-xtCxt->xpathcomp=xmlXPathCompile(xstr);`
	`4809`	`+/* We require XmlTableSetDocument to have been done already */`
	`4810`	`+Assert(xtCxt->xpathcxt!=NULL);`
	`4811`	`+`
	`4812`	`+xtCxt->xpathcomp=xmlXPathCtxtCompile(xtCxt->xpathcxt,xstr);`
`4804`	`4813`	`if (xtCxt->xpathcomp==NULL\|\|xtCxt->xmlerrcxt->err_occurred)`
`4805`	`4814`	`xml_ereport(xtCxt->xmlerrcxt,ERROR,ERRCODE_SYNTAX_ERROR,`
`4806`	`4815`	`"invalid XPath expression");`
`@@ -4831,7 +4840,10 @@ XmlTableSetColumnFilter(TableFuncScanState state, const char path, int colnum)`
`4831`	`4840`
`4832`	`4841`	`xstr=pg_xmlCharStrndup(path,strlen(path));`
`4833`	`4842`
`4834`		`-xtCxt->xpathscomp[colnum]=xmlXPathCompile(xstr);`
	`4843`	`+/* We require XmlTableSetDocument to have been done already */`
	`4844`	`+Assert(xtCxt->xpathcxt!=NULL);`
	`4845`	`+`
	`4846`	`+xtCxt->xpathscomp[colnum]=xmlXPathCtxtCompile(xtCxt->xpathcxt,xstr);`
`4835`	`4847`	`if (xtCxt->xpathscomp[colnum]==NULL\|\|xtCxt->xmlerrcxt->err_occurred)`
`4836`	`4848`	`xml_ereport(xtCxt->xmlerrcxt,ERROR,ERRCODE_DATA_EXCEPTION,`
`4837`	`4849`	`"invalid XPath expression");`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4c9bf94

File tree

2 files changed

2 files changed

`‎contrib/xml2/xpath.c`

`‎src/backend/utils/adt/xml.c`

0 commit comments