forked from pool/perl-XML-Twig
Petr Gajdos
57008c1597
- Updated perl-XML-Twig-CVE-2016-9180.patch
- updated to 3.540.0 (3.54)
see /usr/share/doc/packages/perl-XML-Twig/Changes
3.54 2025-06-11 minor maintenance release
- changed the minimum version of Perl to 5.10
That should be old enough: "On December 18, 2007, the 20th
anniversary of Perl 1.0, Perl 5.10. 0 was released."
- fixed the "build" system
moved .pm files in the usual place for CPAN modules (lib/)
used PM_FILTER in Makefile.PL to inline some method calls
thanks to Daniel Macks for having a look at this and suggesting most
of the improvements
- fixed del_atts/set_att broke keep_atts_order
see https://stackoverflow.com/questions/79369132
- fixed #TEXT handlers not being called when set using setTwigHandlers
see https://github.com/mirod/xmltwig/issues/36
and fixed bugs in triggering #TEXT handlers in mixed content
- fixed test special casing "SA" PERL_UNICODE instead of looking for
S and A in the variable
see https://github.com/mirod/xmltwig/issues/32
- fixed docs for comment processing
see https://github.com/mirod/xmltwig/issues/31
- documentation cleanup
thanks to chrispitude for the massive cleanup in
https://github.com/mirod/xmltwig/pull/34
and to zostay and asb-capfan for finding typos in
https://github.com/mirod/xmltwig/pull/29 and
https://github.com/mirod/xmltwig/pull/33
- improved strip_att to allow more than 1 attribute to be stripped
thanks to chrispitude for https://github.com/mirod/xmltwig/pull/37
- added HTML style aliases for positions for paste and insert_new_elt
beforebegin for before
afterbegin for first_child
beforeend for last_child
afterend for after
- improved insert_new_elt to allow for the element to insert to be
a well-formed XML string, similar to insertAdjacentHTML in js
OBS-URL: https://build.opensuse.org/request/show/1284908
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-XML-Twig?expand=0&rev=45
86 lines
2.5 KiB
Diff
86 lines
2.5 KiB
Diff
Description: Update documentation for XML::Twig.
|
|
Mention problems with expand_external_ents and add
|
|
information about new no_xxe argument.
|
|
.
|
|
Additionally add tests for both expand_external_ents and no_xxe.
|
|
Origin: vendor
|
|
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
|
|
Bug-Debian: https://bugs.debian.org/842893
|
|
Author: gregor herrmann <gregoa@debian.org>
|
|
Last-Update: 2019-03-30
|
|
|
|
--- a/lib/XML/Twig.pm
|
|
+++ b/lib/XML/Twig.pm
|
|
@@ -10561,6 +10561,15 @@
|
|
pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
|
|
cases.
|
|
|
|
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
|
|
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
|
|
+To completely turn off expanding external entities use C<no_xxe>.
|
|
+
|
|
+=item no_xxe
|
|
+
|
|
+If this argument is set to a true value, expanding of external entities is
|
|
+turned off.
|
|
+
|
|
=item load_DTD
|
|
|
|
If this argument is set to a true value, C<parse> or C<parsefile> on the twig
|
|
--- /dev/null
|
|
+++ b/t/CVE-2016-9180.t
|
|
@@ -0,0 +1,41 @@
|
|
+#!/usr/bin/perl
|
|
+
|
|
+use strict;
|
|
+use warnings;
|
|
+use Test::More;
|
|
+use Test::Exception;
|
|
+
|
|
+BEGIN { use_ok('XML::Twig'); }
|
|
+
|
|
+my $twig = XML::Twig->new( expand_external_ents => 1 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+my $result = $twig->sprint;
|
|
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
|
|
+
|
|
+TODO: {
|
|
+ local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
|
|
+
|
|
+$twig = XML::Twig->new( expand_external_ents => 0 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+$result = $twig->sprint;
|
|
+unlike( $result, qr/Boom/,
|
|
+ 'external entity not expanded (expand_external_ents 0)' );
|
|
+
|
|
+$twig = XML::Twig->new( expand_external_ents => -1 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+$result = $twig->sprint;
|
|
+unlike( $result, qr/Boom/,
|
|
+ 'external entity not expanded and no fail (expand_external_ents -1)' );
|
|
+
|
|
+}
|
|
+
|
|
+$twig = XML::Twig->new( no_xxe => 1 );
|
|
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
|
|
+ 'external entity not expanded (no_xxe 1)';
|
|
+
|
|
+$twig = XML::Twig->new( no_xxe => 0 );
|
|
+$twig->parsefile('t/CVE-2016-9180.xml');
|
|
+$result = $twig->sprint;
|
|
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
|
|
+
|
|
+done_testing();
|
|
--- /dev/null
|
|
+++ b/t/CVE-2016-9180.txt
|
|
@@ -0,0 +1 @@
|
|
+Boom
|
|
--- /dev/null
|
|
+++ b/t/CVE-2016-9180.xml
|
|
@@ -0,0 +1,5 @@
|
|
+<?xml version="1.0"?>
|
|
+<!DOCTYPE foo [
|
|
+ <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
|
|
+]>
|
|
+<root>&xxe;</root>
|