Description: Update documentation for XML::Twig.
 Mention problems with expand_external_ents and add
 information about new no_xxe argument.
 .
 Additionally add tests for both expand_external_ents and no_xxe.
Origin: vendor
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
Bug-Debian: https://bugs.debian.org/842893
Author: gregor herrmann <gregoa@debian.org>
Last-Update: 2019-03-30

--- a/Twig_pm.slow
+++ b/Twig_pm.slow
@@ -10454,6 +10454,15 @@
 pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
 cases.  
 
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
+To completely turn off expanding external entities use C<no_xxe>.
+
+=item no_xxe
+
+If this argument is set to a true value, expanding of external entities is
+turned off.
+
 =item load_DTD
 
 If this argument is set to a true value, C<parse> or C<parsefile> on the twig
--- /dev/null
+++ b/t/CVE-2016-9180.t
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Test::More;
+use Test::Exception;
+
+BEGIN { use_ok('XML::Twig'); }
+
+my $twig = XML::Twig->new( expand_external_ents => 1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+my $result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
+
+TODO: {
+    local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
+
+$twig = XML::Twig->new( expand_external_ents => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+    'external entity not expanded (expand_external_ents 0)' );
+
+$twig = XML::Twig->new( expand_external_ents => -1 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+unlike( $result, qr/Boom/,
+    'external entity not expanded and no fail (expand_external_ents -1)' );
+
+}
+
+$twig = XML::Twig->new( no_xxe => 1 );
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
+    'external entity not expanded (no_xxe 1)';
+
+$twig = XML::Twig->new( no_xxe => 0 );
+$twig->parsefile('t/CVE-2016-9180.xml');
+$result = $twig->sprint;
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
+
+done_testing();
--- /dev/null
+++ b/t/CVE-2016-9180.txt
@@ -0,0 +1 @@
+Boom
--- /dev/null
+++ b/t/CVE-2016-9180.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+	<!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
+]>
+<root>&xxe;</root>