From 53b675763cdbfdd6abdae46b0e2c19e637c19ed3 Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@sangoma.com>
Date: Thu, 15 Jan 2026 08:38:26 -0700
Subject: [PATCH] xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for
 xmlReadFile.

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack.  Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42
---
 main/xml.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main/xml.c b/main/xml.c
index 8f7a891116..c3182aa4dc 100644
--- a/main/xml.c
+++ b/main/xml.c
@@ -99,7 +99,7 @@ struct ast_xml_doc *ast_xml_open(char *filename)
 		return NULL;
 	}
 
-	doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
+	doc = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
 	if (!doc) {
 		return NULL;
 	}
@@ -503,7 +503,7 @@ struct ast_xslt_doc *ast_xslt_open(char *filename)
 	xsltStylesheet *xslt;
 	xmlDoc *xml;
 
-	xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
+	xml = xmlReadFile(filename, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
 	if (!xml) {
 		return NULL;
 	}
@@ -531,7 +531,7 @@ struct ast_xslt_doc *ast_xslt_read_memory(char *buffer, size_t size)
 		return NULL;
 	}
 
-	doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NOENT);
+	doc = xmlReadMemory(buffer, (int) size, NULL, NULL, XML_PARSE_RECOVER | XML_PARSE_NONET);
 	if (!doc) {
 		return NULL;
 	}