MantisBT - LibDOM
View Issue Details
0002313LibDOM[All Projects] Generalpublic2015-05-02 12:472016-11-20 20:11
Reporterhotrod 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusconfirmedResolutionopen 
PlatformOSOS Version
Fixed in CI build #
Reported in CI build #2758
Summary0002313: Entity ref fetching in libdom is broken
DescriptionWhen visiting some sites like http://www.aftonbladet.se/ or http://www.dn.se/ a requester asking you to insert "http:" in any drive keeps appearing.
TagsNo tags attached.
Attached Files

Notes
(0000841)
Chris Young   
2015-05-05 19:00   
This is because for some reason when SVGs are opened using libsvgtiny, the DTD specified in the header is opened as a normal file path:

00492 : NetSurf : o.k. = Open("http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd",OLD) = [0x16426BFE] [366442uS]
00493 : NetSurf : FAIL = ExamineObject(0x59FA6AC8) [83uS]
00494 : NetSurf : FAIL = IsInteractive("http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd")
00495 : NetSurf : FAIL = IsFileSystem("http:") [183uS]
00496 : NetSurf : FAIL = ExamineFH("") [61uS]
00497 : NetSurf : FAIL = Open("svg-framework.mod",OLD) = [0x00000000] [128uS]
00498 : NetSurf : ROOT = ParentOfFH(0x16426BFE) "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [46uS]

It reports "ok" here because I have http-handler installed which takes care of opening such paths through DOS. However, the DTD (if it is required at all) should be fetched from the network rather than treated as a disk-based file.
(0000842)
Chris Young   
2015-05-05 19:02   
I think this is a libsvgtiny bug, as I vaguely recall it being mentioned previously in relation to my little svg2dr2d tool.
(0000843)
Chris Young   
2015-05-05 19:28   
(Last edited: 2016-08-22 10:37)
The libdom XML binding expat_xmlparser_external_entity_ref_handler() has a blind fopen in it, it's likely that this is the reason. (at http://git.netsurf-browser.org/libdom.git/tree/bindings/xml/expat_xmlparser.c#n307)

I don't know how viable it is to initiate a fetch from there, but we should at least be checking this is not a network URI before calling fopen().

(0001390)
ChrisH   
2016-08-22 13:08   
FWIW, this problem still occurs in the latest builds of NetSurf. (At least I'm told the problem I have is caused by this bug.)
(0001391)
Chris Young   
2016-08-23 17:44   
I've implemented a partial fix in CI3682.

The entity reference handling was calling fopen on the location, which after some research, turns out to be wrong. The location provided is either absolute or relative to the base (current doc being parsed), and is always a URI once resolved so should be fetched from the network. file: URIs can be fetched with fopen, however relative paths still need resolving first, and certain NetSurf frontends need different handling on changing this URI to a valid filesystem path.

There is a POC in the chris/fetch-x-ent-ref branches, but it needs some serious testing and has an issue in that the parsing doesn't finish before libsvgtiny destroys the XML parser - so that needs fixing.

For now not fetching the external entities is better than reading a potentially dangerous unintended file.
(0001392)
Chris Young   
2016-08-23 17:59   
I've had to reverse my partial fix because it breaks the libdom tests.

**This needs fixing properly, it could be a potential security issue**
(0001417)
Chris Young   
2016-11-20 20:11   
I've suppressed the requester in CI3774, but the entity ref fetching is still broken so I'm leaving this open.

Issue History
2015-05-02 12:47hotrodNew Issue
2015-05-05 19:00Chris YoungNote Added: 0000841
2015-05-05 19:00Chris YoungStatusnew => confirmed
2015-05-05 19:02Chris YoungNote Added: 0000842
2015-05-05 19:28Chris YoungNote Added: 0000843
2016-04-17 13:01Chris YoungProjectNetSurf => LibSVGTiny
2016-04-17 13:01Chris YoungCategoryAmiga-specific => General
2016-08-17 11:35Chris YoungProjectLibSVGTiny => LibDOM
2016-08-22 10:37Chris YoungNote Edited: 0000843bug_revision_view_page.php?bugnote_id=843#r1872
2016-08-22 13:08ChrisHNote Added: 0001390
2016-08-23 17:44Chris YoungNote Added: 0001391
2016-08-23 17:59Chris YoungNote Added: 0001392
2016-08-23 18:02Chris YoungSeverityminor => major
2016-11-20 20:11Chris YoungNote Added: 0001417
2016-11-20 20:11Chris YoungSummaryBrings up anoying requester on certain sites => Entity ref fetching in libdom is broken (was: Brings up anoying requester on certain sites)
2016-11-20 20:11Chris YoungSummaryEntity ref fetching in libdom is broken (was: Brings up anoying requester on certain sites) => Entity ref fetching in libdom is broken