root-project · linev · Apr 9, 2026 · Apr 7, 2026 · Apr 8, 2026 · Apr 9, 2026
@@ -24,3 +24,7 @@ ROOT_STANDARD_LIBRARY_PACKAGE(XMLIO
                                  src/TXMLPlayer.cxx
                                  src/TXMLSetup.cxx
                               DEPENDENCIES RIO)
+
+if (CMAKE_COMPILER_IS_GNUCC AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS 9.0)
+  target_link_libraries(XMLIO PUBLIC stdc++fs)
+endif()
@@ -36,8 +36,9 @@ class TXMLEngine : public TObject {
    void OutputValue(char *value, TXMLOutputStream *out);
    void SaveNode(XMLNodePointer_t xmlnode, TXMLOutputStream *out, Int_t layout, Int_t level);
    XMLNodePointer_t ReadNode(XMLNodePointer_t xmlparent, TXMLInputStream *inp, Int_t &resvalue);
-   void DisplayError(Int_t error, Int_t linenumber);
+   void DisplayError(Int_t error, Int_t linenumber, Bool_t is_parse_file = kTRUE);
    XMLDocPointer_t ParseStream(TXMLInputStream *input);
+   static Bool_t VerifyFilePath(const char *fname);
 
    Bool_t fSkipComments; //! if true, do not create comments nodes in document during parsing
 

@@ -30,6 +30,7 @@
 #include <fstream>
 #include <cstdlib>
 #include <cstring>
+#include <filesystem>
 
 ClassImp(TXMLEngine);
 
@@ -169,7 +170,7 @@ class TXMLEntity : public TNamed {
 
 class TXMLInputStream {
 protected:
-   std::istream *fInp;
+   std::ifstream *fInp;
    const char *fInpStr;
    Int_t fInpStrLen;
 
@@ -232,6 +233,16 @@ class TXMLInputStream {
       fBuf = nullptr;
    }
 
+   ////////////////////////////////////////////////////////////////////////////
+   /// return true when file stream is configured
+
+   inline Bool_t IsFile() const { return fInp != nullptr; }
+
+   ////////////////////////////////////////////////////////////////////////////
+   /// return true when file stream is open
+
+   inline Bool_t IsFileOpen() const { return fInp && fInp->is_open(); }
+
    ////////////////////////////////////////////////////////////////////////////
    /// return true if end of file is achieved
 
@@ -1348,6 +1359,26 @@ XMLNodePointer_t TXMLEngine::DocGetRootElement(XMLDocPointer_t xmldoc)
    return GetChild(xmlnode, kTRUE);
 }
 
+////////////////////////////////////////////////////////////////////////////////
+/// Checked that filename does not contains relative path below current directory
+///
+/// Used to prevent access to files below current directory
+
+Bool_t TXMLEngine::VerifyFilePath(const char *fname)
+{
+   if (!fname || !*fname)
+      return kFALSE;
+
+   std::filesystem::path rel = std::filesystem::proximate(fname, std::filesystem::current_path());
+
+   // absolute path not allowed
+   if (rel.is_absolute())
+      return kFALSE;
+
+   // relative path should not start with ".."
+   return rel.empty() || (*rel.begin() != "..");
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 /// Parses content of file and tries to produce xml structures.
 /// The maxbuf argument specifies the max size of the XML file to be
@@ -1360,6 +1391,10 @@ XMLDocPointer_t TXMLEngine::ParseFile(const char *filename, Int_t maxbuf)
    if (maxbuf < 100000)
       maxbuf = 100000;
    TXMLInputStream inp(true, filename, maxbuf);
+   if (!inp.IsFileOpen()) {
+      Error("ParseFile", "Fail open XML file %s", filename);
+      return nullptr;
+   }
    return ParseStream(&inp);
 }
 
@@ -1406,7 +1441,7 @@ XMLDocPointer_t TXMLEngine::ParseStream(TXMLInputStream *inp)
    } while (true);
 
    if (!success) {
-      DisplayError(resvalue, inp->CurrentLine());
+      DisplayError(resvalue, inp->CurrentLine(), inp->IsFile());
       FreeDoc(xmldoc);
       return nullptr;
    }
@@ -1472,7 +1507,7 @@ XMLNodePointer_t TXMLEngine::ReadSingleNode(const char *src)
    XMLNodePointer_t xmlnode = ReadNode(nullptr, &inp, resvalue);
 
    if (resvalue <= 0) {
-      DisplayError(resvalue, inp.CurrentLine());
+      DisplayError(resvalue, inp.CurrentLine(), kFALSE);
       FreeNode(xmlnode);
       return nullptr;
    }
@@ -1865,6 +1900,10 @@ XMLNodePointer_t TXMLEngine::ReadNode(XMLNodePointer_t xmlparent, TXMLInputStrea
                AddNodeContent(xmlparent, lastentity, beg - lastentity);
 
             if (entity->IsSystem()) {
+               if (!VerifyFilePath(entity->GetTitle())) {
+                  resvalue = -15;
+                  return contnode;
+               }
                XMLDocPointer_t entitydoc = ParseFile(entity->GetTitle());
                if (!entitydoc) {
                   resvalue = -14;
@@ -2220,27 +2259,29 @@ XMLNodePointer_t TXMLEngine::ReadNode(XMLNodePointer_t xmlparent, TXMLInputStrea
 ////////////////////////////////////////////////////////////////////////////////
 /// Displays xml parsing error
 
-void TXMLEngine::DisplayError(Int_t error, Int_t linenumber)
+void TXMLEngine::DisplayError(Int_t error, Int_t linenumber, Bool_t is_parse_file)
 {
+   const char *method = is_parse_file ? "ParseFile" : "ParseString";
    switch (error) {
-   case -14: Error("ParseFile", "Error include external XML file at line %d", linenumber); break;
-   case -13: Error("ParseFile", "Error processing DTD part of XML file at line %d", linenumber); break;
-   case -12: Error("ParseFile", "DOCTYPE missing after <! at line %d", linenumber); break;
+   case -15: Error(method, "Block access to external XML file at line %d", linenumber); break;
+   case -14: Error(method, "Error include external XML file at line %d", linenumber); break;
+   case -13: Error(method, "Error processing DTD part of XML file at line %d", linenumber); break;
+   case -12: Error(method, "DOCTYPE missing after <! at line %d", linenumber); break;
    case -11:
-      Error("ParseFile", "Node cannot be closed with > symbol at line %d, for instance <?xml ... ?> node", linenumber);
+      Error(method, "Node cannot be closed with > symbol at line %d, for instance <?xml ... ?> node", linenumber);
       break;
    case -10:
-      Error("ParseFile", "Error in xml comments definition at line %d, must be <!-- comments -->", linenumber);
+      Error(method, "Error in xml comments definition at line %d, must be <!-- comments -->", linenumber);
       break;
-   case -9: Error("ParseFile", "Multiple namespace definitions not allowed, line %d", linenumber); break;
-   case -8: Error("ParseFile", "Invalid namespace specification, line %d", linenumber); break;
-   case -7: Error("ParseFile", "Invalid attribute value, line %d", linenumber); break;
-   case -6: Error("ParseFile", "Invalid identifier for node attribute, line %d", linenumber); break;
-   case -5: Error("ParseFile", "Mismatch between open and close nodes, line %d", linenumber); break;
-   case -4: Error("ParseFile", "Unexpected close node, line %d", linenumber); break;
-   case -3: Error("ParseFile", "Valid identifier for close node is missing, line %d", linenumber); break;
-   case -2: Error("ParseFile", "No multiple content entries allowed, line %d", linenumber); break;
-   case -1: Error("ParseFile", "Unexpected end of xml file"); break;
-   default: Error("ParseFile", "XML syntax error at line %d", linenumber); break;
+   case -9: Error(method, "Multiple namespace definitions not allowed, line %d", linenumber); break;
+   case -8: Error(method, "Invalid namespace specification, line %d", linenumber); break;
+   case -7: Error(method, "Invalid attribute value, line %d", linenumber); break;
+   case -6: Error(method, "Invalid identifier for node attribute, line %d", linenumber); break;
+   case -5: Error(method, "Mismatch between open and close nodes, line %d", linenumber); break;
+   case -4: Error(method, "Unexpected close node, line %d", linenumber); break;
+   case -3: Error(method, "Valid identifier for close node is missing, line %d", linenumber); break;
+   case -2: Error(method, "No multiple content entries allowed, line %d", linenumber); break;
+   case -1: Error(method, "Unexpected end of xml file"); break;
+   default: Error(method, "XML syntax error at line %d", linenumber); break;
    }
 }