OpenSP is often used in Web applications such as HTML
validators. These Web applications are currently
vulnerable to remote file reading when users submit a
file that contains an entity such as
<!ENTITY passwd SYSTEM "/etc/passwd">.
This patch adds a new command-line option, -R or
--restricted, that restricts file reading to
directories listed in the -D command-line option or in
the SGML_SEARCH_PATH. Also, when -R is used, filenames
containing ".." will not be read, and as a further
security precaution the characters used in the filename
are limited to A-Z, a-z, 0-9, '/', '.', '_', '-'.
The patch is against opensp_1_5_pre5 but should apply
cleanly to the latest opensp_1_5_branch.
Log in to post a comment.