From 0ca6d969af0cab86a0e4dfd3cfdc107652e3e29b Mon Sep 17 00:00:00 2001 From: Debian Qt/KDE Maintainers Date: Tue, 21 May 2024 10:53:43 +0300 Subject: [PATCH] QXmlStreamReader: Raise error on unexpected tokens Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff Last-Update: 2023-07-15 QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD fragments in the XML prolog, and in the XML body. Well-formed but invalid XML files - with multiple DTD fragments in prolog and body, combined with recursive entity expansions - have caused infinite loops in QXmlStreamReader. This patch implements a token check in QXmlStreamReader. A stream is allowed to start with an XML prolog. StartDocument and DOCTYPE elements are only allowed in this prolog, which may also contain ProcessingInstruction and Comment elements. As soon as anything else is seen, the prolog ends. After that, the prolog-specific elements are treated as unexpected. Furthermore, the prolog can contain at most one DOCTYPE element. Update the documentation to reflect the new behavior. Add an autotest that checks the new error cases are correctly detected, and no error is raised for legitimate input. The original OSS-Fuzz files (see bug reports) are not included in this patch for file size reasons. They have been tested manually. Each of them has more than one DOCTYPE element, causing infinite loops in recursive entity expansions. The newly implemented functionality detects those invalid DTD fragments. By raising an error, it aborts stream reading before an infinite loop occurs. Thanks to OSS-Fuzz for finding this. Gbp-Pq: Name CVE-2023-38197.diff --- src/corelib/serialization/qxmlstream.cpp | 144 +++++++++++++++++- src/corelib/serialization/qxmlstream_p.h | 11 ++ .../qxmlstream/tokenError/dtdInBody.xml | 20 +++ .../qxmlstream/tokenError/multipleDtd.xml | 20 +++ .../qxmlstream/tokenError/wellFormed.xml | 15 ++ .../qxmlstream/tst_qxmlstream.cpp | 40 +++++ 6 files changed, 242 insertions(+), 8 deletions(-) create mode 100644 tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml create mode 100644 tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml create mode 100644 tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp index 15972b8c5..0d49cbac1 100644 --- a/src/corelib/serialization/qxmlstream.cpp +++ b/src/corelib/serialization/qxmlstream.cpp @@ -160,7 +160,7 @@ enum { StreamEOF = ~0U }; addData() or by waiting for it to arrive on the device(). \value UnexpectedElementError The parser encountered an element - that was different to those it expected. + or token that was different to those it expected. */ @@ -295,13 +295,34 @@ QXmlStreamEntityResolver *QXmlStreamReader::entityResolver() const QXmlStreamReader is a well-formed XML 1.0 parser that does \e not include external parsed entities. As long as no error occurs, the - application code can thus be assured that the data provided by the - stream reader satisfies the W3C's criteria for well-formed XML. For - example, you can be certain that all tags are indeed nested and - closed properly, that references to internal entities have been - replaced with the correct replacement text, and that attributes have - been normalized or added according to the internal subset of the - DTD. + application code can thus be assured, that + \list + \li the data provided by the stream reader satisfies the W3C's + criteria for well-formed XML, + \li tokens are provided in a valid order. + \endlist + + Unless QXmlStreamReader raises an error, it guarantees the following: + \list + \li All tags are nested and closed properly. + \li References to internal entities have been replaced with the + correct replacement text. + \li Attributes have been normalized or added according to the + internal subset of the \l DTD. + \li Tokens of type \l StartDocument happen before all others, + aside from comments and processing instructions. + \li At most one DOCTYPE element (a token of type \l DTD) is present. + \li If present, the DOCTYPE appears before all other elements, + aside from StartDocument, comments and processing instructions. + \endlist + + In particular, once any token of type \l StartElement, \l EndElement, + \l Characters, \l EntityReference or \l EndDocument is seen, no + tokens of type StartDocument or DTD will be seen. If one is present in + the input stream, out of order, an error is raised. + + \note The token types \l Comment and \l ProcessingInstruction may appear + anywhere in the stream. If an error occurs while parsing, atEnd() and hasError() return true, and error() returns the error that occurred. The functions @@ -620,6 +641,7 @@ QXmlStreamReader::TokenType QXmlStreamReader::readNext() d->token = -1; return readNext(); } + d->checkToken(); return d->type; } @@ -740,6 +762,14 @@ static const short QXmlStreamReader_tokenTypeString_indices[] = { }; +static const char QXmlStreamReader_XmlContextString[] = + "Prolog\0" + "Body\0"; + +static const short QXmlStreamReader_XmlContextString_indices[] = { + 0, 7 +}; + /*! \property QXmlStreamReader::namespaceProcessing The namespace-processing flag of the stream reader @@ -775,6 +805,16 @@ QString QXmlStreamReader::tokenString() const QXmlStreamReader_tokenTypeString_indices[d->type]); } +/*! + \internal + \return \param ctxt (Prolog/Body) as a string. + */ +QString contextString(QXmlStreamReaderPrivate::XmlContext ctxt) +{ + return QLatin1String(QXmlStreamReader_XmlContextString + + QXmlStreamReader_XmlContextString_indices[static_cast(ctxt)]); +} + #endif // QT_NO_XMLSTREAMREADER QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack() @@ -866,6 +906,8 @@ void QXmlStreamReaderPrivate::init() type = QXmlStreamReader::NoToken; error = QXmlStreamReader::NoError; + currentContext = XmlContext::Prolog; + foundDTD = false; } /* @@ -4061,6 +4103,92 @@ void QXmlStreamWriter::writeCurrentToken(const QXmlStreamReader &reader) } } +static bool isTokenAllowedInContext(QXmlStreamReader::TokenType type, + QXmlStreamReaderPrivate::XmlContext loc) +{ + switch (type) { + case QXmlStreamReader::StartDocument: + case QXmlStreamReader::DTD: + return loc == QXmlStreamReaderPrivate::XmlContext::Prolog; + + case QXmlStreamReader::StartElement: + case QXmlStreamReader::EndElement: + case QXmlStreamReader::Characters: + case QXmlStreamReader::EntityReference: + case QXmlStreamReader::EndDocument: + return loc == QXmlStreamReaderPrivate::XmlContext::Body; + + case QXmlStreamReader::Comment: + case QXmlStreamReader::ProcessingInstruction: + return true; + + case QXmlStreamReader::NoToken: + case QXmlStreamReader::Invalid: + return false; + default: + return false; + } +} + +/*! + \internal + \brief QXmlStreamReader::isValidToken + \return \c true if \param type is a valid token type. + \return \c false if \param type is an unexpected token, + which indicates a non-well-formed or invalid XML stream. + */ +bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type) +{ + // Don't change currentContext, if Invalid or NoToken occur in the prolog + if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken) + return false; + + // If a token type gets rejected in the body, there is no recovery + const bool result = isTokenAllowedInContext(type, currentContext); + if (result || currentContext == XmlContext::Body) + return result; + + // First non-Prolog token observed => switch context to body and check again. + currentContext = XmlContext::Body; + return isTokenAllowedInContext(type, currentContext); +} + +/*! + \internal + Checks token type and raises an error, if it is invalid + in the current context (prolog/body). + */ +void QXmlStreamReaderPrivate::checkToken() +{ + Q_Q(QXmlStreamReader); + + // The token type must be consumed, to keep track if the body has been reached. + const XmlContext context = currentContext; + const bool ok = isValidToken(type); + + // Do nothing if an error has been raised already (going along with an unexpected token) + if (error != QXmlStreamReader::Error::NoError) + return; + + if (!ok) { + raiseError(QXmlStreamReader::UnexpectedElementError, + QLatin1String("Unexpected token type %1 in %2.") + .arg(q->tokenString(), contextString(context))); + return; + } + + if (type != QXmlStreamReader::DTD) + return; + + // Raise error on multiple DTD tokens + if (foundDTD) { + raiseError(QXmlStreamReader::UnexpectedElementError, + QLatin1String("Found second DTD token in %1.").arg(contextString(context))); + } else { + foundDTD = true; + } +} + /*! \fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const \since 4.5 diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h index b01484cac..be7b1fe66 100644 --- a/src/corelib/serialization/qxmlstream_p.h +++ b/src/corelib/serialization/qxmlstream_p.h @@ -804,6 +804,17 @@ public: #endif bool atEnd; + enum class XmlContext + { + Prolog, + Body, + }; + + XmlContext currentContext = XmlContext::Prolog; + bool foundDTD = false; + bool isValidToken(QXmlStreamReader::TokenType type); + void checkToken(); + /*! \sa setType() */ diff --git a/tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml b/tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml new file mode 100644 index 000000000..1c3ca4e27 --- /dev/null +++ b/tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml @@ -0,0 +1,20 @@ + + + + + + + + +]> + + + tst_QXmlStream + + + + + ]> + diff --git a/tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml b/tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml new file mode 100644 index 000000000..cd398c0f9 --- /dev/null +++ b/tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml @@ -0,0 +1,20 @@ + + + + + + + + +]> + + + +]> + + + tst_QXmlStream + + diff --git a/tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml b/tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml new file mode 100644 index 000000000..1b61a3f06 --- /dev/null +++ b/tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml @@ -0,0 +1,15 @@ + + + + + + + + +]> + + + tst_QXmlStream + + diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp index 9150abe65..a9dacd189 100644 --- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp +++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp @@ -593,6 +593,9 @@ private slots: void entityExpansionLimit() const; + void tokenErrorHandling_data() const; + void tokenErrorHandling() const; + private: static QByteArray readFile(const QString &filename); @@ -1883,5 +1886,42 @@ void tst_QXmlStream::test_fastScanName() const QCOMPARE(reader.error(), errorType); } +void tst_QXmlStream::tokenErrorHandling_data() const +{ + qRegisterMetaType(); + QTest::addColumn("fileName"); + QTest::addColumn("expectedError"); + QTest::addColumn("errorKeyWord"); + + constexpr auto invalid = QXmlStreamReader::Error::UnexpectedElementError; + constexpr auto valid = QXmlStreamReader::Error::NoError; + QTest::newRow("DtdInBody") << "dtdInBody.xml" << invalid << "DTD"; + QTest::newRow("multipleDTD") << "multipleDtd.xml" << invalid << "second DTD"; + QTest::newRow("wellFormed") << "wellFormed.xml" << valid << ""; +} + +void tst_QXmlStream::tokenErrorHandling() const +{ + QFETCH(const QString, fileName); + QFETCH(const QXmlStreamReader::Error, expectedError); + QFETCH(const QString, errorKeyWord); + + const QDir dir(QFINDTESTDATA("tokenError")); + QFile file(dir.absoluteFilePath(fileName)); + + // Cross-compiling: File will be on host only + if (!file.exists()) + QSKIP("Testfile not found."); + + file.open(QIODevice::ReadOnly); + QXmlStreamReader reader(&file); + while (!reader.atEnd()) + reader.readNext(); + + QCOMPARE(reader.error(), expectedError); + if (expectedError != QXmlStreamReader::Error::NoError) + QVERIFY(reader.errorString().contains(errorKeyWord)); +} + #include "tst_qxmlstream.moc" // vim: et:ts=4:sw=4:sts=4 -- 2.30.2