Skip to content

[xml] prevent files parsing from root folder#21812

Merged
linev merged 4 commits intoroot-project:masterfrom
linev:xml_warnings
Apr 9, 2026
Merged

[xml] prevent files parsing from root folder#21812
linev merged 4 commits intoroot-project:masterfrom
linev:xml_warnings

Conversation

@linev
Copy link
Copy Markdown
Member

@linev linev commented Apr 7, 2026
edited
Loading

When parsing xml file, TXMLEngine can include other files via syntax:

<!ENTITY xxe SYSTEM "/user/home/secret.file">

So prevent inclusion of files which are not in current directory or sub-directory.
Check extra in windows that file name does not starts with drive letter like 'C:filename.ext'

Add correspondent tests to roottest/root/io/xml folder

@linev linev requested review from bellenot and dpiparo April 7, 2026 14:56
@linev linev self-assigned this Apr 7, 2026
@linev linev requested a review from pcanal as a code owner April 7, 2026 14:56
silverweed
silverweed reviewed Apr 7, 2026
View reviewed changes
Comment thread io/xml/src/TXMLEngine.cxx Outdated
Comment thread io/xml/src/TXMLEngine.cxx Outdated
Comment thread io/xml/src/TXMLEngine.cxx Outdated
@linev linev force-pushed the xml_warnings branch 3 times, most recently from cbd1c51 to 23f5c6e Compare April 7, 2026 17:14
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026
edited
Loading

Test Results

    22 files      22 suites   3d 4h 59m 58s ⏱️
 3 833 tests  3 832 ✅  1 💤 0 ❌
75 653 runs  75 635 ✅ 18 💤 0 ❌

Results for commit 6d837af.

♻️ This comment has been updated with latest results.

linev added 3 commits April 8, 2026 09:53
@linev
[xml] prevent access to external files below current directory
ac68c84 
Check using `std::filesystem::proximate` functionality
@linev
[xml] precise error print output
7a9da1a 
When file cannot be opened - do not try to parse it, just print failure
And print correctly error when string is parsing
@linev
[roottest] add testing of string parsing with TXMLEngine
8af040d 
Such string parsing also can include access to local xml files
dpiparo
dpiparo reviewed Apr 8, 2026
View reviewed changes
Comment thread io/xml/src/TXMLEngine.cxx
@linev
[roottest] add TXMLEngine test with forbidden file paths
6d837af 
Use of parent or top directory paths are not allowed
So control proper error messages in the output
@linev linev merged commit fb1c27f into root-project:master Apr 9, 2026
29 of 30 checks passed
@linev
Copy link
Copy Markdown
Member Author

linev commented Apr 9, 2026

/backport to 6.38, 6.36, 6.32, 6.30, 6.28, 6.26

@root-project-bot
Copy link
Copy Markdown

root-project-bot commented Apr 9, 2026

Something went wrong with the backport to 6.38: @linev please see the logs

@root-project-bot root-project-bot mentioned this pull request Apr 9, 2026
Merged
This was referenced Apr 9, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverweed silverweed silverweed left review comments

@dpiparo dpiparo dpiparo approved these changes

@bellenot bellenot Awaiting requested review from bellenot bellenot is a code owner

@pcanal pcanal Awaiting requested review from pcanal pcanal is a code owner

Assignees

@linev linev

Labels

affects:master in:Other

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@linev @root-project-bot @silverweed @dpiparo