Dev news

Commit 4f8aa579ce for asterisk.org

commit 4f8aa579cef907569f5c9dd8c7332844577ae756
Author: George Joseph <gjoseph@sangoma.com>
Date:   Thu Jan 15 08:38:26 2026 -0700

    xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

    The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
    entities, could allow a potential XXE injection attack.  Replacing it with
    XML_PARSE_NONET, which prevents network access, is safer.

    Resolves: #GHSA-85x7-54wr-vh42

diff --git a/main/xml.c b/main/xml.c
index 8f7a891116..c3182aa4dc 100644
--- a/main/xml.c
+++ b/main/xml.c
@@ -99,7 +99,7 @@ struct ast_xml_doc *ast_xml_open(char *filename)
 		return NULL;
 	}

-	doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
+	doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
 	if (!doc) {
 		return NULL;
 	}
@@ -503,7 +503,7 @@ struct ast_xslt_doc *ast_xslt_open(char *filename)
 	xsltStylesheet *xslt;
 	xmlDoc *xml;

-	xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
+	xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
 	if (!xml) {
 		return NULL;
 	}
@@ -531,7 +531,7 @@ struct ast_xslt_doc *ast_xslt_read_memory(char *buffer, size_t size)
 		return NULL;
 	}

-	doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
+	doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
 	if (!doc) {
 		return NULL;
 	}