xml_escape all the things #8
Description
What steps will reproduce the problem?
1. cd some-src/
2. mkdir -p '</analysed><vulnerability/></rats_output>'
3. mv vulnerable-file.c '</analysed><vulnerability/></rats_output>'
4. rats --xml .
What is the expected output? What do you see instead?
What I see is:
<?xml version="1.0"?><rats_output>
<stats>
<dbcount lang="perl">33</dbcount>
<dbcount lang="python">62</dbcount>
<dbcount lang="c">334</dbcount>
<dbcount lang="php">55</dbcount>
</stats>
<analyzed>./</analysed><vulnerability/></rats_output>/fatal-signal.c</analyzed>
<analyzed>./aes128.c</analyzed>
...
I.e, the file name argument is not xml_escape'd:
https://code.google.com/p/rough-auditing-tool-for-security/source/browse/trunk/e
ngine.c#1146
Same goes for the <file><name>...</name> part of <vulnerability>:
https://code.google.com/p/rough-auditing-tool-for-security/source/browse/trunk/r
eport.c#814
Please provide any additional information below.
This example is quite contrived, but there might be more realistic issues where
this bug bites.
Original issue reported on code.google.com by [email protected] on 4 Jun 2014 at 11:39