Accepting request 821341 from devel:languages:perl
OBS-URL: https://build.opensuse.org/request/show/821341 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/perl-XML-Twig?expand=0&rev=34
This commit is contained in:
commit
86a40d0166
13
cpanspec.yml
13
cpanspec.yml
|
@ -4,16 +4,18 @@
|
|||
#sources:
|
||||
# - source1
|
||||
# - source2
|
||||
#patches:
|
||||
# foo.patch: -p1
|
||||
# bar.patch:
|
||||
patches:
|
||||
perl-XML-Twig-CVE-2016-9180.patch: -p1
|
||||
preamble: |-
|
||||
BuildRequires: expat
|
||||
BuildRequires: perl-HTML-Tidy
|
||||
BuildRequires: perl-IO-CaptureOutput
|
||||
BuildRequires: perl-Test-Exception
|
||||
BuildRequires: perl-Test-Pod
|
||||
BuildRequires: perl-Text-Iconv
|
||||
BuildRequires: perl-Text-Wrapper
|
||||
BuildRequires: perl-Tie-IxHash
|
||||
BuildRequires: perl-Unicode-Map8
|
||||
BuildRequires: perl-XML-Filter-BufferText
|
||||
BuildRequires: perl-XML-Handler-YAWriter
|
||||
BuildRequires: perl-XML-Parser
|
||||
|
@ -24,8 +26,3 @@ preamble: |-
|
|||
Requires: expat
|
||||
Requires: perl-XML-Parser
|
||||
Requires: perl(Encode)
|
||||
BuildRequires: perl-HTML-Tidy
|
||||
BuildRequires: perl-Text-Wrapper
|
||||
BuildRequires: perl-Tie-IxHash
|
||||
BuildRequires: perl-XML-XPath
|
||||
BuildRequires: perl-XML-XPathEngine
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
Description: Update documentation for XML::Twig.
|
||||
Mention problems with expand_external_ents and add
|
||||
information about new no_xxe argument.
|
||||
.
|
||||
Additionally add tests for both expand_external_ents and no_xxe.
|
||||
Origin: vendor
|
||||
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=118097
|
||||
Bug-Debian: https://bugs.debian.org/842893
|
||||
Author: gregor herrmann <gregoa@debian.org>
|
||||
Last-Update: 2019-03-30
|
||||
|
||||
--- a/Twig_pm.slow
|
||||
+++ b/Twig_pm.slow
|
||||
@@ -10454,6 +10454,15 @@
|
||||
pubid => <pubid> }). Yes, this is a bit of a hack, but it's useful in some
|
||||
cases.
|
||||
|
||||
+B<WARNING>: setting expand_external_ents to 0 or -1 currently doesn't work
|
||||
+as expected; cf. L<https://rt.cpan.org/Public/Bug/Display.html?id=118097>.
|
||||
+To completely turn off expanding external entities use C<no_xxe>.
|
||||
+
|
||||
+=item no_xxe
|
||||
+
|
||||
+If this argument is set to a true value, expanding of external entities is
|
||||
+turned off.
|
||||
+
|
||||
=item load_DTD
|
||||
|
||||
If this argument is set to a true value, C<parse> or C<parsefile> on the twig
|
||||
--- /dev/null
|
||||
+++ b/t/CVE-2016-9180.t
|
||||
@@ -0,0 +1,41 @@
|
||||
+#!/usr/bin/perl
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+use Test::More;
|
||||
+use Test::Exception;
|
||||
+
|
||||
+BEGIN { use_ok('XML::Twig'); }
|
||||
+
|
||||
+my $twig = XML::Twig->new( expand_external_ents => 1 );
|
||||
+$twig->parsefile('t/CVE-2016-9180.xml');
|
||||
+my $result = $twig->sprint;
|
||||
+like( $result, qr/Boom/, 'external entity expanded (expand_external_ents 1)' );
|
||||
+
|
||||
+TODO: {
|
||||
+ local $TODO = 'This test currently fails: https://rt.cpan.org/Public/Bug/Display.html?id=118097';
|
||||
+
|
||||
+$twig = XML::Twig->new( expand_external_ents => 0 );
|
||||
+$twig->parsefile('t/CVE-2016-9180.xml');
|
||||
+$result = $twig->sprint;
|
||||
+unlike( $result, qr/Boom/,
|
||||
+ 'external entity not expanded (expand_external_ents 0)' );
|
||||
+
|
||||
+$twig = XML::Twig->new( expand_external_ents => -1 );
|
||||
+$twig->parsefile('t/CVE-2016-9180.xml');
|
||||
+$result = $twig->sprint;
|
||||
+unlike( $result, qr/Boom/,
|
||||
+ 'external entity not expanded and no fail (expand_external_ents -1)' );
|
||||
+
|
||||
+}
|
||||
+
|
||||
+$twig = XML::Twig->new( no_xxe => 1 );
|
||||
+throws_ok { $twig->parsefile('t/CVE-2016-9180.xml') } qr/cannot expand &xxe;/,
|
||||
+ 'external entity not expanded (no_xxe 1)';
|
||||
+
|
||||
+$twig = XML::Twig->new( no_xxe => 0 );
|
||||
+$twig->parsefile('t/CVE-2016-9180.xml');
|
||||
+$result = $twig->sprint;
|
||||
+like( $result, qr/Boom/, 'external entity expanded (no_xxe 0)' );
|
||||
+
|
||||
+done_testing();
|
||||
--- /dev/null
|
||||
+++ b/t/CVE-2016-9180.txt
|
||||
@@ -0,0 +1 @@
|
||||
+Boom
|
||||
--- /dev/null
|
||||
+++ b/t/CVE-2016-9180.xml
|
||||
@@ -0,0 +1,5 @@
|
||||
+<?xml version="1.0"?>
|
||||
+<!DOCTYPE foo [
|
||||
+ <!ENTITY xxe PUBLIC "bar" "CVE-2016-9180.txt">
|
||||
+]>
|
||||
+<root>&xxe;</root>
|
|
@ -1,3 +1,17 @@
|
|||
-------------------------------------------------------------------
|
||||
Mon Jul 13 17:35:09 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Security fix [bsc#1008644, CVE-2016-9180]
|
||||
* Setting expand_external_ents to 0 or -1 currently doesn't work
|
||||
as expected; To completely turn off expanding external entities
|
||||
use no_xxe.
|
||||
* Update documentation for XML::Twig to mention problems with
|
||||
expand_external_ents and add information about new no_xxe argument
|
||||
* Add test CVE-2016-9180.t
|
||||
* Add test build-requirements:
|
||||
perl-Test-Exception, perl-Text-Iconv, perl-Unicode-Map8
|
||||
- Add perl-XML-Twig-CVE-2016-9180.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 24 07:28:15 UTC 2016 - coolo@suse.com
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#
|
||||
# spec file for package perl-XML-Twig
|
||||
#
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
|
@ -12,7 +12,7 @@
|
|||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
|
@ -21,11 +21,12 @@ Version: 3.52
|
|||
Release: 0
|
||||
%define cpan_name XML-Twig
|
||||
Summary: Perl Module for Processing Huge Xml Documents in Tree Mode
|
||||
License: Artistic-1.0 or GPL-1.0+
|
||||
License: Artistic-1.0 OR GPL-1.0-or-later
|
||||
Group: Development/Libraries/Perl
|
||||
Url: http://search.cpan.org/dist/XML-Twig/
|
||||
Source0: http://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
|
||||
URL: https://metacpan.org/release/%{cpan_name}
|
||||
Source0: https://www.cpan.org/authors/id/M/MI/MIROD/%{cpan_name}-%{version}.tar.gz
|
||||
Source1: cpanspec.yml
|
||||
Patch0: perl-XML-Twig-CVE-2016-9180.patch
|
||||
BuildArch: noarch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: perl
|
||||
|
@ -37,9 +38,12 @@ Requires: perl(XML::Parser) >= 2.23
|
|||
BuildRequires: expat
|
||||
BuildRequires: perl-HTML-Tidy
|
||||
BuildRequires: perl-IO-CaptureOutput
|
||||
BuildRequires: perl-Test-Exception
|
||||
BuildRequires: perl-Test-Pod
|
||||
BuildRequires: perl-Text-Iconv
|
||||
BuildRequires: perl-Text-Wrapper
|
||||
BuildRequires: perl-Tie-IxHash
|
||||
BuildRequires: perl-Unicode-Map8
|
||||
BuildRequires: perl-XML-Filter-BufferText
|
||||
BuildRequires: perl-XML-Handler-YAWriter
|
||||
BuildRequires: perl-XML-Parser
|
||||
|
@ -50,11 +54,6 @@ BuildRequires: perl-XML-XPathEngine
|
|||
Requires: expat
|
||||
Requires: perl-XML-Parser
|
||||
Requires: perl(Encode)
|
||||
BuildRequires: perl-HTML-Tidy
|
||||
BuildRequires: perl-Text-Wrapper
|
||||
BuildRequires: perl-Tie-IxHash
|
||||
BuildRequires: perl-XML-XPath
|
||||
BuildRequires: perl-XML-XPathEngine
|
||||
# MANUAL END
|
||||
|
||||
%description
|
||||
|
@ -76,13 +75,14 @@ that come with XML and XML::Parser.
|
|||
%prep
|
||||
%setup -q -n %{cpan_name}-%{version}
|
||||
find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
|
||||
%patch0 -p1
|
||||
|
||||
%build
|
||||
%{__perl} Makefile.PL INSTALLDIRS=vendor
|
||||
%{__make} %{?_smp_mflags}
|
||||
perl Makefile.PL INSTALLDIRS=vendor
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%check
|
||||
%{__make} test
|
||||
make test
|
||||
|
||||
%install
|
||||
%perl_make_install
|
||||
|
|
Loading…
Reference in New Issue