After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 721796 - insufficient escaping in g_dbus_annotation_info_generate_xml()
insufficient escaping in g_dbus_annotation_info_generate_xml()
Status: RESOLVED FIXED
Product: glib
Classification: Platform
Component: gdbus
unspecified
Other All
: Normal normal
: ---
Assigned To: David Zeuthen (not reading bugmail)
gtkdev
Depends on:
Blocks:
 
 
Reported: 2014-01-08 15:53 UTC by Allison Karlitskaya (desrt)
Modified: 2014-01-09 03:58 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
gdbus: properly escape introspection annotations (1.44 KB, patch)
2014-01-08 16:07 UTC, Allison Karlitskaya (desrt) 		committed Details | Review
gdbus-introspection test: test escaping attributes (1.01 KB, patch)
2014-01-08 16:07 UTC, Allison Karlitskaya (desrt) 		committed Details | Review

Description Allison Karlitskaya (desrt) 2014-01-08 15:53:54 UTC 
Having (XML) special characters in the value of an annotation can result in GDBus sending a malformed XML document in response to the Introspect call.

This is caused by insufficient escaping in g_dbus_annotation_info_generate_xml():

  g_string_append_printf (string_builder, "%*s<annotation name=\"%s\" value=\"%s\"",
                          indent, "",
                          info->key,
                          info->value);


We should probably markup-escape the info->value here before inserting it into the string.
Comment 1 Allison Karlitskaya (desrt) 2014-01-08 16:07:24 UTC 
Created attachment 265720 [details] [review]
gdbus: properly escape introspection annotations

Make sure we escape any special characters that are found in annotation
names or values to avoid emitting a malformed XML document in response
to an Introspect call.
Comment 2 Allison Karlitskaya (desrt) 2014-01-08 16:07:27 UTC 
Created attachment 265721 [details] [review]
gdbus-introspection test: test escaping attributes

Make sure attribute values are properly escaped in generated XML.
Comment 3 Matthias Clasen 2014-01-09 03:40:19 UTC 
Review of attachment 265720 [details] [review]:

yes
Comment 4 Matthias Clasen 2014-01-09 03:41:05 UTC 
Review of attachment 265721 [details] [review]:

nice
Comment 5 Allison Karlitskaya (desrt) 2014-01-09 03:58:21 UTC 
Attachment 265720 [details] pushed as 04ee782 - gdbus: properly escape introspection annotations
Attachment 265721 [details] pushed as 8bc63b0 - gdbus-introspection test: test escaping attributes