Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/xml: decoding XML with entities not supported #35389

Open
yaoh3i opened this issue Nov 6, 2019 · 3 comments
Open

encoding/xml: decoding XML with entities not supported #35389

yaoh3i opened this issue Nov 6, 2019 · 3 comments
Labels
ExpertNeeded help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@yaoh3i
Copy link

yaoh3i commented Nov 6, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.3 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
darwin/amd64

What did you do?

I parsed the XML with the entity, but the part with the entity was not parsed (the entity value is in the DTD).
I checked the documentation and set xml.Decoder.Strict to false. What appears is the entity itself, not the value of the entity.

This is my program:
https://play.golang.org/p/pxIrus-iW8b

What did you expect to see?

127.0.0.1
hello

What did you see instead?

When d.Strict = true, there is nothing.
When d.Strict = false, output:

127.0.0.1
&n;

@bcmills bcmills added ExpertNeeded help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Nov 6, 2019
@bcmills bcmills added this to the Backlog milestone Nov 6, 2019
@bcmills
Copy link
Contributor

bcmills commented Nov 6, 2019

See previously #4196, #30983, #20614.

@bcmills bcmills modified the milestones: Backlog, Unplanned Nov 6, 2019
@yaoh3i
Copy link
Author

yaoh3i commented Nov 6, 2019

See previously #4196, #30983, #20614.

Thank you very much for your reply, but it doesn't seem to have been resolved.

#4196 is a parsing bug, but it only outputs the value in XML, not the value of entity. So it didn't solve my problem.
#30983 is a coding problem, it uses iso-8859-1 coding and results in parsing errors. This problem has nothing to do with entities.
#20614 seems to have nothing to do with parsing entities. It looks like it's caused by parsing characters such as spaces.

What I expect is when parsing the following XML:

<!DOCTYPE server [ <!ENTITY n 'hello' > ]>
<server>
    <name>&n;</name>
    <ip>127.0.0.1</ip>
</server>

The value of name can be hello, not &n; It doesn't look like that at the moment.

@DemiMarie
Copy link

See previously #4196, #30983, #20614.

Thank you very much for your reply, but it doesn't seem to have been resolved.

#4196 is a parsing bug, but it only outputs the value in XML, not the value of entity. So it didn't solve my problem.
#30983 is a coding problem, it uses iso-8859-1 coding and results in parsing errors. This problem has nothing to do with entities.
#20614 seems to have nothing to do with parsing entities. It looks like it's caused by parsing characters such as spaces.

What I expect is when parsing the following XML:

<!DOCTYPE server [ <!ENTITY n 'hello' > ]>
<server>
    <name>&n;</name>
    <ip>127.0.0.1</ip>
</server>

The value of name can be hello, not &n; It doesn't look like that at the moment.

This would need to be off by default for security reasons. See the exponential blowup and quadratic blowup attacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ExpertNeeded help wanted NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

3 participants