Implement http://xml.org/sax/features/external-general-entities

Expat.pm

@@ -14,6 +14,15 @@ use vars qw($VERSION);
 $VERSION = '0.51';
 
 
+sub new {
+    my $class = shift;
+    my $self = $class->SUPER::new(@_);
+    # set feature state to historical behavioral defaults
+    $self->set_feature('http://xml.org/sax/features/external-general-entities', 1);
+    $self->set_feature('http://xml.org/sax/features/external-parameter-entities', 0);
+    return $self;
+}
+
 #,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,#
 #`,`, Variations on parse `,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,#
 #```````````````````````````````````````````````````````````````````#
@@ -90,8 +99,8 @@ sub _create_parser {
          if $self->{_InParse};
 
     my $featUri = 'http://xml.org/sax/features/';
-    my $ppe = ($self->get_feature($featUri . 'external-general-entities') or
-               $self->get_feature($featUri . 'external-parameter-entities') ) ? 1 : 0;
+    my $pge = $self->get_feature($featUri . 'external-general-entities')   ? 1 : 0;
+    my $ppe = $self->get_feature($featUri . 'external-parameter-entities') ? 1 : 0;
 
     my $expat = XML::Parser->new( ParseParamEnt => $ppe );
     $expat->{__XSE} = $self;
@@ -107,15 +116,19 @@ sub _create_parser {
                         CdataEnd    => \&_handle_end_cdata,
                         Unparsed    => \&_handle_unparsed_entity,
                         Notation    => \&_handle_notation_decl,
-                        #ExternEnt
-                        #ExternEntFin
                         Entity      => \&_handle_entity_decl,
                         Element     => \&_handle_element_decl,
                         Attlist     => \&_handle_attr_decl,
                         Doctype     => \&_handle_start_doctype,
                         DoctypeFin  => \&_handle_end_doctype,
                         XMLDecl     => \&_handle_xml_decl,
                       );
+    if (!$pge) {
+        $expat->setHandlers(
+                        ExternEnt   => sub { ''; },
+                        #ExternEntFin not needed
+                      );
+    }
 
     $self->{_InParse} = 1;
     $self->{_NodeStack} = [];
@@ -551,15 +564,18 @@ PerlSAX2 specification, available above.
 Returns:
 
   * http://xml.org/sax/features/external-general-entities
+    (default: on)
   * http://xml.org/sax/features/external-parameter-entities
+    (default: off)
   * [ Features supported by ancestors ]
 
-Turning one of the first two on also turns the other on (this maps
-to the XML::Parser ParseParamEnts option). This may be fixed in the
-future, so don't rely on this behaviour.
-
 =back
 
+Depending on the application, you may want to turn
+external-general-entities off for security reasons. The default is on
+to maintain behavioral backwards compatibility with (common) use cases
+that don't set any feature states.
+
 =head1 MISSING PARTS
 
 XML::Parser has no listed callbacks for the following events, which

MANIFEST

@@ -4,6 +4,7 @@ Expat.pm
 Makefile.PL
 MANIFEST
 t/00basic.t
+t/01extent.t
 t/98podsyn.t
 t/99podcov.t
 eg/counter.pl

t/01extent.t

@@ -0,0 +1,34 @@
+use strict;
+use warnings;
+use Test::More tests => 7;
+use XML::SAX::Expat;
+
+my $ege = 'http://xml.org/sax/features/external-general-entities';
+my $epe = 'http://xml.org/sax/features/external-parameter-entities';
+
+my $doc1 = <<EOF;
+<!DOCTYPE foo [
+<!ENTITY bar SYSTEM "file:///path/to/nonexistent/file.xml">
+]>
+<foo>&bar;</foo>
+EOF
+
+my $xp = XML::SAX::Expat->new();
+
+is($xp->get_feature($ege), 1, "$ege initial state");
+is($xp->get_feature($epe), 0, "$epe initial state");
+
+is(scalar(grep { $_ eq $ege } $xp->supported_features), 1,
+   "$ege in supported_features");
+is(scalar(grep { $_ eq $epe } $xp->supported_features), 1,
+   "$epe in supported_features");
+
+eval { $xp->parse_string($doc1) };
+ok($@, "exception retrieving nonexistent external entity");
+
+$xp = XML::SAX::Expat->new();
+$xp->set_feature($ege, 0);
+is($xp->get_feature($ege), 0, "$ege set state");
+
+eval { $xp->parse_string($doc1) };
+ok(!$@, "no exception for nonexistent external entity which isn't fetched");