2018-08-19 14:43 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002313LibDOM[All Projects] Generalpublic2016-11-20 20:11
Reporterhotrod 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusconfirmedResolutionopen 
Summary0002313: Entity ref fetching in libdom is broken
DescriptionWhen visiting some sites like http://www.aftonbladet.se/ or http://www.dn.se/ a requester asking you to insert "http:" in any drive keeps appearing.
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #2758
Attached Files

-Relationships
+Relationships

-Notes
Chris Young

~0000841

Chris Young (developer)

This is because for some reason when SVGs are opened using libsvgtiny, the DTD specified in the header is opened as a normal file path:

00492 : NetSurf : o.k. = Open("http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd",OLD) = [0x16426BFE] [366442uS]
00493 : NetSurf : FAIL = ExamineObject(0x59FA6AC8) [83uS]
00494 : NetSurf : FAIL = IsInteractive("http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd")
00495 : NetSurf : FAIL = IsFileSystem("http:") [183uS]
00496 : NetSurf : FAIL = ExamineFH("") [61uS]
00497 : NetSurf : FAIL = Open("svg-framework.mod",OLD) = [0x00000000] [128uS]
00498 : NetSurf : ROOT = ParentOfFH(0x16426BFE) "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [46uS]

It reports "ok" here because I have http-handler installed which takes care of opening such paths through DOS. However, the DTD (if it is required at all) should be fetched from the network rather than treated as a disk-based file.
Chris Young

~0000842

Chris Young (developer)

I think this is a libsvgtiny bug, as I vaguely recall it being mentioned previously in relation to my little svg2dr2d tool.
Chris Young

~0000843

Chris Young (developer)

Last edited: 2016-08-22 11:37

View 2 revisions

The libdom XML binding expat_xmlparser_external_entity_ref_handler() has a blind fopen in it, it's likely that this is the reason. (at http://git.netsurf-browser.org/libdom.git/tree/bindings/xml/expat_xmlparser.c#n307)

I don't know how viable it is to initiate a fetch from there, but we should at least be checking this is not a network URI before calling fopen().

ChrisH

~0001390

ChrisH (reporter)

FWIW, this problem still occurs in the latest builds of NetSurf. (At least I'm told the problem I have is caused by this bug.)
Chris Young

~0001391

Chris Young (developer)

I've implemented a partial fix in CI3682.

The entity reference handling was calling fopen on the location, which after some research, turns out to be wrong. The location provided is either absolute or relative to the base (current doc being parsed), and is always a URI once resolved so should be fetched from the network. file: URIs can be fetched with fopen, however relative paths still need resolving first, and certain NetSurf frontends need different handling on changing this URI to a valid filesystem path.

There is a POC in the chris/fetch-x-ent-ref branches, but it needs some serious testing and has an issue in that the parsing doesn't finish before libsvgtiny destroys the XML parser - so that needs fixing.

For now not fetching the external entities is better than reading a potentially dangerous unintended file.
Chris Young

~0001392

Chris Young (developer)

I've had to reverse my partial fix because it breaks the libdom tests.

**This needs fixing properly, it could be a potential security issue**
Chris Young

~0001417

Chris Young (developer)

I've suppressed the requester in CI3774, but the entity ref fetching is still broken so I'm leaving this open.
+Notes

-Issue History
Date Modified Username Field Change
2015-05-02 13:47 hotrod New Issue
2015-05-05 20:00 Chris Young Note Added: 0000841
2015-05-05 20:00 Chris Young Status new => confirmed
2015-05-05 20:02 Chris Young Note Added: 0000842
2015-05-05 20:28 Chris Young Note Added: 0000843
2016-04-17 14:01 Chris Young Project NetSurf => LibSVGTiny
2016-04-17 14:01 Chris Young Category Amiga-specific => General
2016-08-17 12:35 Chris Young Project LibSVGTiny => LibDOM
2016-08-22 11:37 Chris Young Note Edited: 0000843 View Revisions
2016-08-22 14:08 ChrisH Note Added: 0001390
2016-08-23 18:44 Chris Young Note Added: 0001391
2016-08-23 18:59 Chris Young Note Added: 0001392
2016-08-23 19:02 Chris Young Severity minor => major
2016-11-20 20:11 Chris Young Note Added: 0001417
2016-11-20 20:11 Chris Young Summary Brings up anoying requester on certain sites => Entity ref fetching in libdom is broken (was: Brings up anoying requester on certain sites)
2016-11-20 20:11 Chris Young Summary Entity ref fetching in libdom is broken (was: Brings up anoying requester on certain sites) => Entity ref fetching in libdom is broken
+Issue History