diff options
| author | Axel Wagner <axel.wagner.hh@googlemail.com> | 2024-02-14 09:38:46 +0100 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2024-02-22 22:50:20 +0000 |
| commit | 8a0fbd75a54c27ff2ae624ac2775bf752cdbceb4 (patch) | |
| tree | f2f3db97bf9817ff1d6c148b2fcb27dbba478235 /src/encoding/xml/xml.go | |
| parent | d892cb496a30ec274ee87f3cd0cf6bb7ac682ab3 (diff) | |
| download | go-8a0fbd75a54c27ff2ae624ac2775bf752cdbceb4.tar.xz | |
encoding/xml: reject XML declaration after start of document
The XML specification requires an XML declaration, if present, to only
appear at the very beginning of the document, not even preceded by
whitespace. The parser currently accepts it at any part of the input.
Rejecting whitespace at the beginning of the file might break too many
users. This change instead only rejects an XML declaration preceded by
a non-whitespace token *and* allows the Encoder to emit whitespace
before an XML declaration. This means that a token stream produced by
the Decoder can be passed to the Encoder without error, while we still
don't emit clearly invalid XML.
This might break programs depending on Decoder allowing arbitrary XML
before the XML declaration.
Fixes #65691.
Change-Id: Ib1d4b3116aee63f40fd377f90595780b4befd1ee
Reviewed-on: https://go-review.googlesource.com/c/go/+/564035
Auto-Submit: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Diffstat (limited to 'src/encoding/xml/xml.go')
| -rw-r--r-- | src/encoding/xml/xml.go | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go index 6b8f2e7978..a1e63ed30d 100644 --- a/src/encoding/xml/xml.go +++ b/src/encoding/xml/xml.go @@ -212,6 +212,7 @@ type Decoder struct { line int linestart int64 offset int64 + readNonWS bool unmarshalDepth int } @@ -559,6 +560,8 @@ func (d *Decoder) rawToken() (Token, error) { return EndElement{d.toClose}, nil } + readNonWS := d.readNonWS + b, ok := d.getc() if !ok { return nil, d.err @@ -571,8 +574,12 @@ func (d *Decoder) rawToken() (Token, error) { if data == nil { return nil, d.err } + if !d.readNonWS && !isWhitespace(CharData(data)) { + d.readNonWS = true + } return CharData(data), nil } + d.readNonWS = true if b, ok = d.mustgetc(); !ok { return nil, d.err @@ -623,6 +630,11 @@ func (d *Decoder) rawToken() (Token, error) { data = data[0 : len(data)-2] // chop ?> if target == "xml" { + if readNonWS { + d.err = errors.New("xml: XML declaration after start of document") + return nil, d.err + } + content := string(data) ver := procInst("version", content) if ver != "" && ver != "1.0" { |