r76216 - in /branches/upstream/libxml-atom-perl/current: Changes MANIFEST META.yml lib/XML/Atom.pm lib/XML/Atom/Client.pm lib/XML/Atom/Content.pm lib/XML/Atom/Server.pm lib/XML/Atom/Thing.pm t/31-external-entities-libxml.t t/31-external-entities-xpath.t

ansgar at users.alioth.debian.org ansgar at users.alioth.debian.org
Tue Jun 21 16:19:28 UTC 2011


Author: ansgar
Date: Tue Jun 21 16:19:25 2011
New Revision: 76216

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=76216
Log:
[svn-upgrade] new version libxml-atom-perl (0.39)

Added:
    branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t
    branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t
Modified:
    branches/upstream/libxml-atom-perl/current/Changes
    branches/upstream/libxml-atom-perl/current/MANIFEST
    branches/upstream/libxml-atom-perl/current/META.yml
    branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm
    branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm
    branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm
    branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm
    branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm

Modified: branches/upstream/libxml-atom-perl/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/Changes?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/Changes (original)
+++ branches/upstream/libxml-atom-perl/current/Changes Tue Jun 21 16:19:25 2011
@@ -1,6 +1,9 @@
 $Id$
 
 Revision history for XML::Atom
+
+0.39  2011.06.20
+    * Disabled external entities and network to avoid possible security flaw (yannk)
 
 0.38  2011.05.22
     * Fixed a bug where content with newlines wasn't encoded in perl >= 5.12 (emasaka)

Modified: branches/upstream/libxml-atom-perl/current/MANIFEST
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/MANIFEST?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/MANIFEST (original)
+++ branches/upstream/libxml-atom-perl/current/MANIFEST Tue Jun 21 16:19:25 2011
@@ -49,6 +49,8 @@
 t/28-ext.t
 t/29-source.t
 t/30-datetime-stringification.t
+t/31-external-entities-libxml.t
+t/31-external-entities-xpath.t
 t/samples/atom-1.0.xml
 t/samples/entry-euc.xml
 t/samples/entry-full.xml

Modified: branches/upstream/libxml-atom-perl/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/META.yml?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/META.yml (original)
+++ branches/upstream/libxml-atom-perl/current/META.yml Tue Jun 21 16:19:25 2011
@@ -30,4 +30,4 @@
 resources:
   license: http://dev.perl.org/licenses/
   repository: git://github.com/miyagawa/xml-atom.git
-version: 0.38
+version: 0.39

Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm Tue Jun 21 16:19:25 2011
@@ -4,7 +4,7 @@
 use strict;
 
 use 5.008_001;
-our $VERSION = '0.38';
+our $VERSION = '0.39';
 
 BEGIN {
     @XML::Atom::EXPORT = qw( LIBXML DATETIME);
@@ -33,6 +33,26 @@
 
     $XML::Atom::ForceUnicode = 0;
     $XML::Atom::DefaultVersion = 0.3;
+}
+
+sub libxml_parser {
+    ## uses old XML::LibXML < 1.70 interface for compat reasons
+    return XML::LibXML->new(
+        #no_network      => 1, # v1.63+
+        expand_xinclude => 0,
+        expand_entities => 1,
+        load_ext_dtd    => 0,
+        ext_ent_handler => sub { warn "External entities disabled."; '' },
+    );
+}
+
+sub expat_parser {
+    return XML::Parser->new(
+        Handlers => {
+            ExternEnt => sub { warn "External Entities disabled."; '' },
+            ExternEntFin => sub {},
+        },
+    );
 }
 
 use base qw( XML::Atom::ErrorHandler Exporter );

Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm Tue Jun 21 16:19:25 2011
@@ -188,7 +188,7 @@
     if ($client->use_soap && (my $xml = $res->content)) {
         my $doc;
         if (LIBXML) {
-            my $parser = XML::LibXML->new;
+            my $parser = $client->libxml_parser;
             $doc = $parser->parse_string($xml);
         } else {
             my $xp = XML::XPath->new(xml => $xml);
@@ -218,6 +218,8 @@
     }
 }
 
+sub libxml_parser { XML::Atom->libxml_parser }
+
 package LWP::UserAgent::AtomClient;
 use strict;
 use Scalar::Util;

Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm Tue Jun 21 16:19:25 2011
@@ -54,11 +54,12 @@
             my $node;
             eval {
                 if (LIBXML) {
-                    my $parser = XML::LibXML->new;
+                    my $parser = XML::Atom->libxml_parser;
                     my $tree = $parser->parse_string($copy);
                     $node = $tree->getDocumentElement;
                 } else {
-                    my $xp = XML::XPath->new(xml => $copy);
+                    my $parser = XML::Atom->expat_parser;
+                    my $xp = XML::XPath->new(xml => $copy, parser => $parser);
                     $node = (($xp->find('/')->get_nodelist)[0]->getChildNodes)[0]
                         if $xp;
                 }

Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm Tue Jun 21 16:19:25 2011
@@ -284,7 +284,7 @@
     my $server = shift;
     unless (exists $server->{xml_body}) {
         if (LIBXML) {
-            my $parser = XML::LibXML->new;
+            my $parser = $server->libxml_parser;
             $server->{xml_body} =
                 $parser->parse_string($server->request_content);
         } else {
@@ -308,6 +308,8 @@
     }
     $atom;
 }
+
+sub libxml_parser { XML::Atom->libxml_parser }
 
 1;
 __END__

Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm Tue Jun 21 16:19:25 2011
@@ -22,7 +22,7 @@
     my $atom = shift;
     my %param = @_ == 1 ? (Stream => $_[0]) : @_;
     if (my $stream = delete $param{Stream}) {
-        my $parser = XML::LibXML->new;
+        my $parser = delete $param{Parser} || XML::Atom->libxml_parser;
         my $doc;
         if (ref($stream) eq 'SCALAR') {
             $doc = $parser->parse_string($$stream);
@@ -50,13 +50,14 @@
     my %param = @_ == 1 ? (Stream => $_[0]) : @_;
     my $elem_name = $atom->element_name;
     if (my $stream = delete $param{Stream}) {
+        my $parser = delete $param{Parser} || XML::Atom->expat_parser;
         my $xp;
         if (ref($stream) eq 'SCALAR') {
-            $xp = XML::XPath->new(xml => $$stream);
+            $xp = XML::XPath->new(xml => $$stream, parser => $parser);
         } elsif (ref($stream)) {
-            $xp = XML::XPath->new(ioref => $stream);
+            $xp = XML::XPath->new(ioref => $stream, parser => $parser);
         } else {
-            $xp = XML::XPath->new(filename => $stream);
+            $xp = XML::XPath->new(filename => $stream, parser => $parser);
         }
         my $set = $xp->find('/' . $elem_name);
         unless ($set && $set->size) {

Added: branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t?rev=76216&op=file
==============================================================================
--- branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t (added)
+++ branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t Tue Jun 21 16:19:25 2011
@@ -1,0 +1,58 @@
+use strict;
+use Test::More;
+
+use XML::Atom::Entry;
+use FindBin;
+my $filepath = "$FindBin::Bin/samples/entry-ns.xml";
+
+BEGIN {
+    unless (eval { require XML::LibXML }) {
+        plan skip_all => 'LibXML required for this test';
+    }
+}
+plan tests => 4;
+
+my $xml = <<"EOX";
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE entry [
+<!ENTITY ref SYSTEM "file://$filepath">
+]>
+  <entry xmlns="http://purl.org/atom/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+    <title>Guest Author</title>
+    <link rel="alternate" type="text/html" href="http://ben.stupidfool.org/typepad/2003/07/guest_author.html" />
+    <link rel="service.edit" title="Edit" type="application/x.atom+xml" href="http://www.example.com/atom/entry_id=75207" />
+    <id>tag:typepad.com:post:75207</id>
+    <issued>2003-07-21T02:47:34-07:00</issued>
+    <modified>2003-08-22T18:36:57-07:00</modified>
+    <created>2003-07-21T02:47:34-07:00</created>
+    <summary>No, Ben isn't updating. It's me testing out guest author functionality....</summary>
+    <author>
+      <name>Mena</name>
+      <url>http://mena.typepad.com/</url>
+    </author>
+    <dc:subject>Food</dc:subject>
+    <dc:subject>Cats</dc:subject>
+    <content type="text/html" xml:lang="en-us">&ref;
+<div xmlns="http://www.w3.org/1999/xhtml"><p>No, Ben isn't updating. It's me testing out guest author functionality.</p></div>
+</content>
+  </entry>
+EOX
+
+## default sane parser
+{
+    my $entry = XML::Atom::Entry->new(Stream => \$xml);
+    is $entry->title, "Guest Author", "got title";
+    my $content = $entry->content->body;
+    unlike $content, qr/This is what you get when you do unit testing/,
+        "ignored entity";
+}
+
+## custom parser
+{
+    my $libxml = XML::LibXML->new;
+    my $entry = XML::Atom::Entry->new(Stream => \$xml, Parser => $libxml);
+    is $entry->title, "Guest Author", "got title";
+    my $content = $entry->content->body;
+    like $content, qr/This is what you get when you do unit testing/,
+        "resolved entity";
+}

Added: branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t?rev=76216&op=file
==============================================================================
--- branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t (added)
+++ branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t Tue Jun 21 16:19:25 2011
@@ -1,0 +1,70 @@
+use strict;
+use Test::More;
+
+BEGIN {
+    unless (eval { require XML::XPath }) {
+        plan skip_all => 'XML::XPath required for this test';
+    }
+}
+
+plan tests => 4;
+BEGIN {
+    ## hardcore, because XML::Atom doesn't make it easy to change it at
+    ## runtime
+    require XML::Atom;
+    if (XML::Atom->LIBXML) {
+        no strict 'refs';
+        diag "XPath Override in place";
+        *{XML::Atom::LIBXML} = sub() {0};
+    }
+}
+
+use XML::Parser;
+use XML::Atom::Entry;
+use FindBin;
+my $filepath = "$FindBin::Bin/samples/entry-ns.xml";
+
+my $xml = <<"EOX";
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE entry [
+<!ENTITY ref SYSTEM "file://$filepath">
+]>
+  <entry xmlns="http://purl.org/atom/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+    <title>Guest Author</title>
+    <link rel="alternate" type="text/html" href="http://ben.stupidfool.org/typepad/2003/07/guest_author.html" />
+    <link rel="service.edit" title="Edit" type="application/x.atom+xml" href="http://www.example.com/atom/entry_id=75207" />
+    <id>tag:typepad.com:post:75207</id>
+    <issued>2003-07-21T02:47:34-07:00</issued>
+    <modified>2003-08-22T18:36:57-07:00</modified>
+    <created>2003-07-21T02:47:34-07:00</created>
+    <summary>No, Ben isn't updating. It's me testing out guest author functionality....</summary>
+    <author>
+      <name>Mena</name>
+      <url>http://mena.typepad.com/</url>
+    </author>
+    <dc:subject>Food</dc:subject>
+    <dc:subject>Cats</dc:subject>
+    <content type="text/html" xml:lang="en-us">&ref;
+<div xmlns="http://www.w3.org/1999/xhtml"><p>No, Ben isn't updating. It's me testing out guest author functionality.</p></div>
+</content>
+  </entry>
+EOX
+
+## Sane default
+{
+    my $entry = XML::Atom::Entry->new(Stream => \$xml);
+    is $entry->title, "Guest Author", "got title";
+    my $content = $entry->content->body;
+    unlike $content, qr/This is what you get when you do unit testing/,
+        "ignored entity";
+}
+
+## custom parser
+{
+    my $parser = XML::Parser->new(); # no option
+    my $entry = XML::Atom::Entry->new(Stream => \$xml, Parser => $parser);
+    is $entry->title, "Guest Author", "got title";
+    my $content = $entry->content->body;
+    like $content, qr/This is what you get when you do unit testing/,
+        "resolved entity";
+}




More information about the Pkg-perl-cvs-commits mailing list