Accepting request 1285462 from devel:languages:perl

- Updated perl-XML-Twig-CVE-2016-9180.patch
- updated to 3.540.0 (3.54)
   see /usr/share/doc/packages/perl-XML-Twig/Changes
  3.54 2025-06-11  minor maintenance release
  - changed the minimum version of Perl to 5.10
      That should be old enough: "On December 18, 2007, the 20th
      anniversary of Perl 1.0, Perl 5.10. 0 was released."
  - fixed the "build" system
      moved .pm files in the usual place for CPAN modules (lib/)
      used PM_FILTER in Makefile.PL to inline some method calls
      thanks to Daniel Macks for having a look at this and suggesting most
      of the improvements
  - fixed del_atts/set_att broke keep_atts_order
      see https://stackoverflow.com/questions/79369132
  - fixed #TEXT handlers not being called when set using setTwigHandlers
      see https://github.com/mirod/xmltwig/issues/36
      and fixed bugs in triggering #TEXT handlers in mixed content
  - fixed test special casing "SA" PERL_UNICODE instead of looking for
      S and A in the variable
      see https://github.com/mirod/xmltwig/issues/32
  - fixed docs for comment processing
      see https://github.com/mirod/xmltwig/issues/31
  - documentation cleanup
      thanks to chrispitude for the massive cleanup in
      https://github.com/mirod/xmltwig/pull/34
      and to zostay and asb-capfan for finding typos in
      https://github.com/mirod/xmltwig/pull/29 and
      https://github.com/mirod/xmltwig/pull/33
  - improved strip_att to allow more than 1 attribute to be stripped
      thanks to chrispitude for https://github.com/mirod/xmltwig/pull/37
  - added HTML style aliases for positions for paste and insert_new_elt
      beforebegin for before
      afterbegin for first_child
      beforeend for last_child
      afterend for after
  - improved insert_new_elt to allow for the element to insert to be
      a well-formed XML string, similar to insertAdjacentHTML in js (forwarded request 1284908 from tinita)

OBS-URL: https://build.opensuse.org/request/show/1285462
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/perl-XML-Twig?expand=0&rev=38

cpanspec.yml

@@ -4,16 +4,18 @@
 #sources:
 #  - source1
 #  - source2
-#patches:
-#  foo.patch: -p1
-#  bar.patch:
+patches:
+  perl-XML-Twig-CVE-2016-9180.patch: -p1
 preamble: |-
  BuildRequires:  expat
  BuildRequires:  perl-HTML-Tidy
  BuildRequires:  perl-IO-CaptureOutput
+ BuildRequires:  perl-Test-Exception
  BuildRequires:  perl-Test-Pod
+ BuildRequires:  perl-Text-Iconv
  BuildRequires:  perl-Text-Wrapper
  BuildRequires:  perl-Tie-IxHash
+ BuildRequires:  perl-Unicode-Map8
  BuildRequires:  perl-XML-Filter-BufferText
  BuildRequires:  perl-XML-Handler-YAWriter
  BuildRequires:  perl-XML-Parser
@@ -24,8 +26,3 @@ preamble: |-
  Requires:       expat
  Requires:       perl-XML-Parser
  Requires:       perl(Encode)
- BuildRequires:     perl-HTML-Tidy
- BuildRequires:     perl-Text-Wrapper
- BuildRequires:     perl-Tie-IxHash
- BuildRequires:     perl-XML-XPath
- BuildRequires:     perl-XML-XPathEngine

perl-XML-Twig-CVE-2016-9180.patch

@@ -0,0 +1,85 @@
+Description: Update documentation for XML::Twig.
+ Mention problems with expand_external_ents and add
+ information about new no_xxe argument.
+ .
+ Additionally add tests for both expand_external_ents and no_xxe.
+Origin: vendor
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
+Bug-Debian: https://bugs.debian.org/842893
+Author: gregor herrmann <gregoa@debian.org>
+Last-Update: 2019-03-30
+
+--- a/lib/XML/Twig.pm
++++ b/lib/XML/Twig.pm
+@@ -10561,6 +10561,15 @@
+ pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
+ cases.
+ 
++B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
++as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
++To completely turn off expanding external entities use C<no_xxe>.
++
++=item no_xxe
++
++If this argument is set to a true value, expanding of external entities is
++turned off.
++
+ =item load_DTD
+ 
+ If this argument is set to a true value, C<parse> or C<parsefile> on the twig
+--- /dev/null
++++ b/t/CVE-2016-9180.t
+@@ -0,0 +1,41 @@
++#!/usr/bin/perl
++
++use strict;
++use warnings;
++use Test::More;
++use Test::Exception;
++
++BEGIN { use_ok('XML::Twig'); }
++
++my $twig = XML::Twig->new( expand_external_ents => 1 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++my $result = $twig->sprint;
++like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
++
++TODO: {
++    local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
++
++$twig = XML::Twig->new( expand_external_ents => 0 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++unlike( $result, qr/Boom/,
++    'external entity not expanded (expand_external_ents 0)' );
++
++$twig = XML::Twig->new( expand_external_ents => -1 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++unlike( $result, qr/Boom/,
++    'external entity not expanded and no fail (expand_external_ents -1)' );
++
++}
++
++$twig = XML::Twig->new( no_xxe => 1 );
++throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
++    'external entity not expanded (no_xxe 1)';
++
++$twig = XML::Twig->new( no_xxe => 0 );
++$twig->parsefile('t/CVE-2016-9180.xml');
++$result = $twig->sprint;
++like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
++
++done_testing();
+--- /dev/null
++++ b/t/CVE-2016-9180.txt
+@@ -0,0 +1 @@
++Boom
+--- /dev/null
++++ b/t/CVE-2016-9180.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE foo [
++	<!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
++]>
++<root>&xxe;</root>

perl-XML-Twig.changes

@@ -1,3 +1,98 @@
+-------------------------------------------------------------------
+Wed Jun 11 15:33:33 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+
+- Updated perl-XML-Twig-CVE-2016-9180.patch
+
+-------------------------------------------------------------------
+Wed Jun 11 14:57:47 UTC 2025 - Tina Müller <timueller+perl@suse.de>
+
+- updated to 3.540.0 (3.54)
+   see /usr/share/doc/packages/perl-XML-Twig/Changes
+
+
+  3.54 2025-06-11  minor maintenance release
+  - changed the minimum version of Perl to 5.10
+      That should be old enough: "On December 18, 2007, the 20th
+      anniversary of Perl 1.0, Perl 5.10. 0 was released."
+  - fixed the "build" system
+      moved .pm files in the usual place for CPAN modules (lib/)
+      used PM_FILTER in Makefile.PL to inline some method calls
+      thanks to Daniel Macks for having a look at this and suggesting most
+      of the improvements
+  - fixed del_atts/set_att broke keep_atts_order
+      see https://stackoverflow.com/questions/79369132
+  - fixed #TEXT handlers not being called when set using setTwigHandlers
+      see https://github.com/mirod/xmltwig/issues/36
+      and fixed bugs in triggering #TEXT handlers in mixed content
+  - fixed test special casing "SA" PERL_UNICODE instead of looking for
+      S and A in the variable
+      see https://github.com/mirod/xmltwig/issues/32
+  - fixed docs for comment processing
+      see https://github.com/mirod/xmltwig/issues/31
+  - documentation cleanup
+      thanks to chrispitude for the massive cleanup in
+      https://github.com/mirod/xmltwig/pull/34
+      and to zostay and asb-capfan for finding typos in
+      https://github.com/mirod/xmltwig/pull/29 and
+      https://github.com/mirod/xmltwig/pull/33
+  - improved strip_att to allow more than 1 attribute to be stripped
+      thanks to chrispitude for https://github.com/mirod/xmltwig/pull/37
+  - added HTML style aliases for positions for paste and insert_new_elt
+      beforebegin for before
+      afterbegin for first_child
+      beforeend for last_child
+      afterend for after
+  - improved insert_new_elt to allow for the element to insert to be
+      a well-formed XML string, similar to insertAdjacentHTML in js
+
+-------------------------------------------------------------------
+Thu Jan 16 15:51:17 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Also provide perl(XML::Twig::XPath), as provided by the file
+  /usr/lib/perl5/vendor_perl/*/XML/Twig/XPath.pm.
+
+-------------------------------------------------------------------
+Fri Jan 10 17:56:14 UTC 2025 - Tina Müller <tina.mueller@suse.com>
+
+- Update perl-XML-Twig-CVE-2016-9180.patch
+
+-------------------------------------------------------------------
+Sat Dec 14 05:34:55 UTC 2024 - Tina Müller <timueller+perl@suse.de>
+
+- updated to 3.530.0 (3.53)
+   see /usr/share/doc/packages/perl-XML-Twig/Changes
+
+  3.53 - 2024-12-10 - minor maintenance release
+  - fixed warning from recent perl version
+    See RT#155759 https://rt.cpan.org/Public/Bug/Display.html?id=155759
+  - fixed bug with namespaced elements in navigation
+  - added multiclass selectors in navigation and handler triggers
+    (css style, eg elt.class1.class2)
+  - fixed bug with dots in element names confusing navigation
+    conditions in some cases
+  - fixed output when a CDATA section includes a CDATA end marker
+    spotted by Djibril
+
+-------------------------------------------------------------------
+Mon Mar  4 16:15:09 UTC 2024 - pgajdos@suse.com
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+  %patchN
+
+-------------------------------------------------------------------
+Mon Jul 13 17:35:09 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix [bsc#1008644, CVE-2016-9180]
+  * Setting expand_external_ents to 0 or -1 currently doesn't work  
+    as expected; To completely turn off expanding external entities
+    use no_xxe.
+  * Update documentation for XML::Twig to mention problems with
+    expand_external_ents and add information about new no_xxe argument
+  * Add test CVE-2016-9180.t
+  * Add test build-requirements:
+    perl-Test-Exception, perl-Text-Iconv, perl-Unicode-Map8
+- Add perl-XML-Twig-CVE-2016-9180.patch
+
 -------------------------------------------------------------------
 Thu Nov 24 07:28:15 UTC 2016 - coolo@suse.com
 

perl-XML-Twig.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-XML-Twig
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,34 +12,49 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
-Name:           perl-XML-Twig
-Version:        3.52
-Release:        0
 %define cpan_name XML-Twig
-Summary:        Perl Module for Processing Huge Xml Documents in Tree Mode
-License:        Artistic-1.0 or GPL-1.0+
-Group:          Development/Libraries/Perl
-Url:            http://search.cpan.org/dist/XML-Twig/
-Source0:        http://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
+Name:           perl-XML-Twig
+Version:        3.540.0
+Release:        0
+# 3.54 -> normalize -> 3.540.0
+%define cpan_version 3.54
+License:        Artistic-1.0 OR GPL-1.0-or-later
+Summary:        XML, The Perl Way
+URL:            https://metacpan.org/release/%{cpan_name}
+Source0:        https://cpan.metacpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{cpan_version}.tar.gz
 Source1:        cpanspec.yml
+Patch0:         perl-XML-Twig-CVE-2016-9180.patch
 BuildArch:      noarch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
 BuildRequires:  perl-macros
-BuildRequires:  perl(XML::Parser) >= 2.23
-Requires:       perl(XML::Parser) >= 2.23
+BuildRequires:  perl(XML::Parser) >= 2.230
+Requires:       perl(XML::Parser) >= 2.230
+Provides:       perl(XML::Twig) = %{version}
+Provides:       perl(XML::Twig::Elt)
+Provides:       perl(XML::Twig::Entity)
+Provides:       perl(XML::Twig::Entity_list)
+Provides:       perl(XML::Twig::Notation)
+Provides:       perl(XML::Twig::Notation_list)
+Provides:       perl(XML::Twig::XPath)
+Provides:       perl(XML::Twig::XPath::Attribute)
+Provides:       perl(XML::Twig::XPath::Elt)
+Provides:       perl(XML::Twig::XPath::Namespace)
+%undefine       __perllib_provides
 %{perl_requires}
 # MANUAL BEGIN
 BuildRequires:  expat
 BuildRequires:  perl-HTML-Tidy
 BuildRequires:  perl-IO-CaptureOutput
+BuildRequires:  perl-Test-Exception
 BuildRequires:  perl-Test-Pod
+BuildRequires:  perl-Text-Iconv
 BuildRequires:  perl-Text-Wrapper
 BuildRequires:  perl-Tie-IxHash
+BuildRequires:  perl-Unicode-Map8
 BuildRequires:  perl-XML-Filter-BufferText
 BuildRequires:  perl-XML-Handler-YAWriter
 BuildRequires:  perl-XML-Parser
@@ -50,15 +65,10 @@ BuildRequires:  perl-XML-XPathEngine
 Requires:       expat
 Requires:       perl-XML-Parser
 Requires:       perl(Encode)
-BuildRequires:  perl-HTML-Tidy
-BuildRequires:  perl-Text-Wrapper
-BuildRequires:  perl-Tie-IxHash
-BuildRequires:  perl-XML-XPath
-BuildRequires:  perl-XML-XPathEngine
 # MANUAL END
 
 %description
-This module provides a way to process XML documents. It is build on top of
+This module provides a way to process XML documents. It is built on top of
 'XML::Parser'.
 
 The module offers a tree interface to the document, while allowing you to
@@ -67,22 +77,23 @@ output the parts of it that have been completely processed.
 It allows minimal resource (CPU and memory) usage by building the tree only
 for the parts of the documents that need actual processing, through the use
 of the 'twig_roots ' and 'twig_print_outside_roots ' options. The 'finish '
-and 'finish_print ' methods also help to increase performances.
+and 'finish_print ' methods also help to increase performance.
 
-XML::Twig tries to make simple things easy so it tries its best to takes
+XML::Twig tries to make simple things easy, so it tries its best to takes
 care of a lot of the (usually) annoying (but sometimes necessary) features
 that come with XML and XML::Parser.
 
 %prep
-%setup -q -n %{cpan_name}-%{version}
-find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
+%autosetup -n %{cpan_name}-%{cpan_version} -p1
+
+find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -path "*/scripts/*" ! -name "configure" -print0 | xargs -0 chmod 644
 
 %build
-%{__perl} Makefile.PL INSTALLDIRS=vendor
-%{__make} %{?_smp_mflags}
+perl Makefile.PL INSTALLDIRS=vendor
+%make_build
 
 %check
-%{__make} test
+make test
 
 %install
 %perl_make_install
@@ -90,7 +101,6 @@ find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
 %perl_gen_filelist
 
 %files -f %{name}.files
-%defattr(-,root,root,755)
-%doc Changes check_optional_modules filter_for_5.005 README speedup Twig_pm.slow
+%doc Changes check_optional_modules README
 
 %changelog