SLFO-pool/perl-XML-Twig
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main perl-XML-Twig revision 3c607f746e4ae868a09809cc2725fa9f

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 19:12:37 +02:00
commit 1dc3986b65
6 changed files with 471 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
XML-Twig-3.52.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

28
cpanspec.yml Normal file
View File

@ -0,0 +1,28 @@
---
#description_paragraphs: 3
#no_testing: broken upstream
#sources:
# - source1
# - source2
patches:
perl-XML-Twig-CVE-2016-9180.patch: -p1
preamble: |-
BuildRequires: expat
BuildRequires: perl-HTML-Tidy
BuildRequires: perl-IO-CaptureOutput
BuildRequires: perl-Test-Exception
BuildRequires: perl-Test-Pod
BuildRequires: perl-Text-Iconv
BuildRequires: perl-Text-Wrapper
BuildRequires: perl-Tie-IxHash
BuildRequires: perl-Unicode-Map8
BuildRequires: perl-XML-Filter-BufferText
BuildRequires: perl-XML-Handler-YAWriter
BuildRequires: perl-XML-Parser
BuildRequires: perl-XML-SAX-Writer
BuildRequires: perl-XML-Simple
BuildRequires: perl-XML-XPath
BuildRequires: perl-XML-XPathEngine
Requires: expat
Requires: perl-XML-Parser
Requires: perl(Encode)

85
perl-XML-Twig-CVE-2016-9180.patch Normal file
View File

@ -0,0 +1,85 @@
Description: Update documentation for XML::Twig.
Mention problems with expand_external_ents and add
information about new no_xxe argument.
.
Additionally add tests for both expand_external_ents and no_xxe.
Origin: vendor
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
Bug-Debian: https://bugs.debian.org/842893
Author: gregor herrmann <gregoa@debian.org>
Last-Update: 2019-03-30
--- a/Twig_pm.slow
+++ b/Twig_pm.slow
@@ -10454,6 +10454,15 @@
pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
cases.
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
+To completely turn off expanding external entities use C<no_xxe>.
+
+=item no_xxe
+
+If this argument is set to a true value, expanding of external entities is
+turned off.
+
=item load_DTD
If this argument is set to a true value, C<parse> or C<parsefile> on the twig
--- /dev/null
+++ b/t/CVE-2016-9180.t
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Test::More;
+use Test::Exception;
+
+BEGIN { use_ok('XML::Twig'); }
+
+my $twig = XML::Twig->new( expand_external_ents => 1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+my $result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
+
+TODO: {
+ local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
+
+$twig = XML::Twig->new( expand_external_ents => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+ 'external entity not expanded (expand_external_ents 0)' );
+
+$twig = XML::Twig->new( expand_external_ents => -1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+ 'external entity not expanded and no fail (expand_external_ents -1)' );
+
+}
+
+$twig = XML::Twig->new( no_xxe => 1 );
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
+ 'external entity not expanded (no_xxe 1)';
+
+$twig = XML::Twig->new( no_xxe => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
+
+done_testing();
--- /dev/null
+++ b/t/CVE-2016-9180.txt
@@ -0,0 +1 @@
+Boom
--- /dev/null
+++ b/t/CVE-2016-9180.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+ <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
+]>
+<root>&xxe;</root>

236
perl-XML-Twig.changes Normal file
View File

@ -0,0 +1,236 @@
-------------------------------------------------------------------
Mon Jul 13 17:35:09 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Security fix [bsc#1008644, CVE-2016-9180]
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
* Add test CVE-2016-9180.t
* Add test build-requirements:
perl-Test-Exception, perl-Text-Iconv, perl-Unicode-Map8
- Add perl-XML-Twig-CVE-2016-9180.patch
-------------------------------------------------------------------
Thu Nov 24 07:28:15 UTC 2016 - coolo@suse.com
- updated to 3.52
see /usr/share/doc/packages/perl-XML-Twig/Changes
3.52 - 2016-11-23 - minor maintenance release
- fixed: the previous fix was buggy...
3.51 - 2016-11-23 - minor maintenance release
- fixed: failing tests when XML::XPathEngine and XML::XPath not available
-------------------------------------------------------------------
Wed Nov 23 07:26:06 UTC 2016 - coolo@suse.com
- updated to 3.50
see /usr/share/doc/packages/perl-XML-Twig/Changes
-------------------------------------------------------------------
Tue Apr 14 19:18:33 UTC 2015 - coolo@suse.com
- updated to 3.49
see /usr/share/doc/packages/perl-XML-Twig/Changes
3.49 - 2015-03-24
- added: the DTD_base option to XML::Twig new, that forces XML::Twig to look
for the DTD in a given directory
thanks to Arun lakhana for the idea
- fixed: XML::Parser 2.43 caused a failure in the tests due to a change in
its behaviour when die-ing.
- fixed: prevent PAUSE from trying to index packages that are only used
for monkey patching (to re-use XML::XPath as the XPath engine for
XML::Twig::XPath). Will also prevent UNAUTHORIZED flag on metacpan.
patch sent by Graham Knop
- fixed: RT #96009
keep_atts_order => 0 behaviour. Spotted by Dolmen
https://rt.cpan.org/Public/Bug/Display.html?id=96009
- fixed bug RT #97461
wrong error message was returned calling parse on an invalid filehandle
Thanks to Slaven Rezic for the bug report and test case
https://rt.cpan.org/Public/Bug/Display.html?id=97461
- fixed: RT #98801
COMPATIBILITY WARNING
inconsistency between simplify and XML::Simple for empty elements (including
elements with start and end tags but no contents)
the XML::Simple behaviour is to map them to an empty hash, not an
empty/undef scalar (depending of whether the element is a PCDATA or not)
as was the case in previous versions of the module.
This has the potential to break some existing code, but simplify should be
strictly the same as XML::Simple's XMLin
Thanks to Vangelis Katsikaros for the bug report and test case
https://rt.cpan.org/Public/Bug/Display.html?id=98801
-------------------------------------------------------------------
Mon Sep 15 15:15:20 UTC 2014 - coolo@suse.com
- updated to 3.48
- fixed: missing entities when parsing HTML
RT #93604 https://rt.cpan.org/Public/Bug/Display.html?id=93604
- fixed: tests failed when using a version of HTML::TreeBuilder with a non-numeric version
- fixed in twig_handlers, '=' in regexps on attributes are turned into 'eq'
RT #94295 https://rt.cpan.org/Public/Bug/Display.html?id=94295
- fixed: test failed on Windows
-------------------------------------------------------------------
Sat Mar 15 13:03:31 UTC 2014 - coolo@suse.com
- updated to 3.46
- fixed: link to idented_a format description
RT #85400 https://rt.cpan.org/Public/Bug/Display.html?id=85400
fixed by Martin McGrath
- fixed: code that gave a warning in 5.19.9
- fixed: RT #86651 https://rt.cpan.org/Ticket/Display.html?id=86773
xml_pp, quote not escaped in attribute values
- fixed various typos in docs RT#87660
thanks to David Steinbrunner
- fixed: RT #86773 https://rt.cpan.org/Ticket/Display.html?id=86773
CDATA sections in HTML were not properly escaped when using the
(default) HTML::TreeBuilder conversion
spotted by Marco Pessotto
- fixed: RT #85933 https://rt.cpan.org/Ticket/Display.html?id=85933
quotes in attributes were not properly escaped
dpotted by Arun Lakhana
- added: docs for tools and safe_print_to_file
- added: support for XPath variables
thanks to Nathan Glenn for the initial implementation
- updated: Changes to conform to CPAN::Changes + test
-------------------------------------------------------------------
Tue Jun 4 17:10:56 UTC 2013 - coolo@suse.com
- updated to 3.44
# minor maintenance release
added: XML::Twig::Elt new method now acccepts literal content, eg
my $e= XML::Twig::Elt->new( '<div><p>foo</p><p>bar</p></div>');
fixed: merge had some problems dealing with embedded comments
improved: more tests
improved: docs for parse, see RT #78877
https://rt.cpan.org/Ticket/Display.html?id=78877
fixed: xml_pp -i now preserves the permissions of the
original file, see RT #81165
https://rt.cpan.org/Ticket/Display.html?id=81165
reported by Alberto Simoes
fixed: RT #80503 Newlines in attribute values
https://rt.cpan.org/Ticket/Display.html?id=80503
reported (and explained) by Ambrus Zsban: \r, \n
and \n explicitely set in attribute values should
be escaped (with &#x<nb>;) when output
-------------------------------------------------------------------
Mon Apr 15 10:29:16 UTC 2013 - idonmez@suse.com
- Add Source URL, see https://en.opensuse.org/SourceUrls
-------------------------------------------------------------------
Tue Nov 27 08:29:14 UTC 2012 - dap.darkness@gmail.com
- update to 3.42
* fixed: bug, elements created with XML::Twig::Elt
* added: some tests
- passed the spec file through spec cleaner
- strip %clean section (not needed on BS)
-------------------------------------------------------------------
Fri Sep 23 16:33:24 UTC 2011 - vcizek@suse.com
- update to 3.39
- no upstream changelog,
see https://github.com/mirod/xmltwig/commits/master
for individual commits
- licence correction
-------------------------------------------------------------------
Sun Feb 27 23:43:46 UTC 2011 - pascal.bleser@opensuse.org
- update to 3.38:
* fixed: RT#65865: _ should be allowed at the start on an XML name
* removed: making att and class lvalues created problems: in certain context
they made regular calls to the method create empty   attributes. I
could find no satisfactory fix,they were either incompletes, or to complex
for often used methods. So att and class are back to being regular, non
l-value methods. latt and lclass are the l-value versions.
* added: documented the -html option for xml_grep, that allows processing
HTML input
* added: the -Tidy option to xml_grep, that uses HTML::Tidy to convert HTML
to XML
-------------------------------------------------------------------
Thu Dec 16 13:39:34 CET 2010 - anicka@suse.cz
- update to 3.37
*fixed: more tests fixed for HTML::TreeBuilder, hopefully
will pass now
-------------------------------------------------------------------
Wed Dec 1 13:36:22 UTC 2010 - coolo@novell.com
- switch to perl_requires macro
-------------------------------------------------------------------
Mon Nov 29 18:32:30 UTC 2010 - coolo@novell.com
- remove /var/adm/perl-modules
-------------------------------------------------------------------
Thu Oct 7 18:13:15 CEST 2010 - anicka@suse.cz
- update to 3.36
* bugfixes
-------------------------------------------------------------------
Fri Jul 16 15:13:02 CEST 2010 - anicka@suse.cz
- update to 3.35
* bugfixes
-------------------------------------------------------------------
Mon Jan 25 13:41:30 CET 2010 - anicka@suse.cz
- update to 3.34
* bugfixes, test suite fixes
-------------------------------------------------------------------
Wed Nov 21 10:57:58 CET 2007 - anicka@suse.cz
- update to 3.32
* bugfixes, test fixes
* fixed a couple of bugs in namespace handling
* added the XML::Twig::Elt fields method which returns a list of
fields
* added the normalize method in XML::Twig and XML::Twig::Elt
* added the indented_a / cvs format for pretty_print,
* Added the XML::Twig method finish_now that terminates parsing
immediately, without checking the rest of the XML.
* HTML parsing improved: XML::Twig now tries to find the proper
encoding for the document
-------------------------------------------------------------------
Thu Oct 18 16:55:24 CEST 2007 - anicka@suse.cz
- package created (version 3.29) [#297511]

96
perl-XML-Twig.spec Normal file
View File

@ -0,0 +1,96 @@
#
# spec file for package perl-XML-Twig
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: perl-XML-Twig
Version: 3.52
Release: 0
%define cpan_name XML-Twig
Summary: Perl Module for Processing Huge Xml Documents in Tree Mode
License: Artistic-1.0 OR GPL-1.0-or-later
Group: Development/Libraries/Perl
URL: https://metacpan.org/release/%{cpan_name}
Source0: https://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
Source1: cpanspec.yml
Patch0: perl-XML-Twig-CVE-2016-9180.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: perl
BuildRequires: perl-macros
BuildRequires: perl(XML::Parser) >= 2.23
Requires: perl(XML::Parser) >= 2.23
%{perl_requires}
# MANUAL BEGIN
BuildRequires: expat
BuildRequires: perl-HTML-Tidy
BuildRequires: perl-IO-CaptureOutput
BuildRequires: perl-Test-Exception
BuildRequires: perl-Test-Pod
BuildRequires: perl-Text-Iconv
BuildRequires: perl-Text-Wrapper
BuildRequires: perl-Tie-IxHash
BuildRequires: perl-Unicode-Map8
BuildRequires: perl-XML-Filter-BufferText
BuildRequires: perl-XML-Handler-YAWriter
BuildRequires: perl-XML-Parser
BuildRequires: perl-XML-SAX-Writer
BuildRequires: perl-XML-Simple
BuildRequires: perl-XML-XPath
BuildRequires: perl-XML-XPathEngine
Requires: expat
Requires: perl-XML-Parser
Requires: perl(Encode)
# MANUAL END
%description
This module provides a way to process XML documents. It is build on top of
'XML::Parser'.
The module offers a tree interface to the document, while allowing you to
output the parts of it that have been completely processed.
It allows minimal resource (CPU and memory) usage by building the tree only
for the parts of the documents that need actual processing, through the use
of the 'twig_roots ' and 'twig_print_outside_roots ' options. The 'finish '
and 'finish_print ' methods also help to increase performances.
XML::Twig tries to make simple things easy so it tries its best to takes
care of a lot of the (usually) annoying (but sometimes necessary) features
that come with XML and XML::Parser.
%prep
%setup -q -n %{cpan_name}-%{version}
find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
%patch0 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
%check
make test
%install
%perl_make_install
%perl_process_packlist
%perl_gen_filelist
%files -f %{name}.files
%defattr(-,root,root,755)
%doc Changes check_optional_modules filter_for_5.005 README speedup Twig_pm.slow
%changelog