From c00f054d3cd5da19b76392fefea7b515e6deb3e6 Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 25 Nov 2020 02:14:03 +0000
Subject: [PATCH] Fix crashes when decoding codepoints larger than 255. Fixes
 #2192 These codepoint references are now left intact. If necessary, it would
 be a trivial change to replace them with corresponding UTF sequences.

Note that the previous code was decoding the character references recursively,
which was probably not the intent.
---
 CHANGELOG            |  4 ++++
 nselib/citrixxml.lua | 29 +++++++++--------------------
 2 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 2b4f70538..b2c8c8009 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -32,6 +32,10 @@ o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
   identities that are syntactically incorrect to be hostnames are now ignored.
   [Michel Le Bihan, nnposter]
 
+o [NSE][GH#2192] XML decoding in library citrixxml no longer crashes when
+  encountering a character reference with codepoint greater than 255. (These
+  references are now left unmodified.) [nnposter]
+
 o [NSE] Script mysql-audit now defaults to the bundled mysql-cis.audit for
   the audit rule base. [nnposter]
 
diff --git a/nselib/citrixxml.lua b/nselib/citrixxml.lua
index f75cec44e..3a0e3b0e4 100644
--- a/nselib/citrixxml.lua
+++ b/nselib/citrixxml.lua
@@ -25,32 +25,21 @@ local table = require "table"
 _ENV = stdnse.module("citrixxml", stdnse.seeall)
 
 --- Decodes html-entities to chars eg. &#32; => <space>
+-- Note that only decimal references of ASCII characters are supported.
+-- Named and hexadecimal references are left untouched, and so are codepoints
+-- greater than 255.
 --
 -- @param xmldata string to convert
--- @return string an e
+-- @return string with XML character references replaced with the corresponding characters
 function decode_xml_document(xmldata)
-
-  local hexval
-
   if not xmldata then
     return ""
   end
-
-  local newstr = xmldata
-  local escaped_val
-
-  while string.match(newstr, "(&#%d+;)" ) do
-    escaped_val = string.match(newstr, "(&#%d+;)")
-    hexval = escaped_val:match("(%d+)")
-
-    if ( hexval ) then
-      newstr = newstr:gsub(escaped_val, string.char(hexval))
-    end
-
-  end
-
-  return newstr
-
+  return (xmldata:gsub("&#%d+;",
+                       function (e)
+                         local cp = tonumber(e:sub(3, -2))
+                         return cp <= 0xFF and string.char(cp) or nil
+                       end))
 end
 
 --- Sends the request to the server using the http lib