r76216 - in /branches/upstream/libxml-atom-perl/current: Changes MANIFEST META.yml lib/XML/Atom.pm lib/XML/Atom/Client.pm lib/XML/Atom/Content.pm lib/XML/Atom/Server.pm lib/XML/Atom/Thing.pm t/31-external-entities-libxml.t t/31-external-entities-xpath.t
ansgar at users.alioth.debian.org
ansgar at users.alioth.debian.org
Tue Jun 21 16:19:28 UTC 2011
Author: ansgar
Date: Tue Jun 21 16:19:25 2011
New Revision: 76216
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=76216
Log:
[svn-upgrade] new version libxml-atom-perl (0.39)
Added:
branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t
branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t
Modified:
branches/upstream/libxml-atom-perl/current/Changes
branches/upstream/libxml-atom-perl/current/MANIFEST
branches/upstream/libxml-atom-perl/current/META.yml
branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm
branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm
branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm
branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm
branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm
Modified: branches/upstream/libxml-atom-perl/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/Changes?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/Changes (original)
+++ branches/upstream/libxml-atom-perl/current/Changes Tue Jun 21 16:19:25 2011
@@ -1,6 +1,9 @@
$Id$
Revision history for XML::Atom
+
+0.39 2011.06.20
+ * Disabled external entities and network to avoid possible security flaw (yannk)
0.38 2011.05.22
* Fixed a bug where content with newlines wasn't encoded in perl >= 5.12 (emasaka)
Modified: branches/upstream/libxml-atom-perl/current/MANIFEST
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/MANIFEST?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/MANIFEST (original)
+++ branches/upstream/libxml-atom-perl/current/MANIFEST Tue Jun 21 16:19:25 2011
@@ -49,6 +49,8 @@
t/28-ext.t
t/29-source.t
t/30-datetime-stringification.t
+t/31-external-entities-libxml.t
+t/31-external-entities-xpath.t
t/samples/atom-1.0.xml
t/samples/entry-euc.xml
t/samples/entry-full.xml
Modified: branches/upstream/libxml-atom-perl/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/META.yml?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/META.yml (original)
+++ branches/upstream/libxml-atom-perl/current/META.yml Tue Jun 21 16:19:25 2011
@@ -30,4 +30,4 @@
resources:
license: http://dev.perl.org/licenses/
repository: git://github.com/miyagawa/xml-atom.git
-version: 0.38
+version: 0.39
Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom.pm Tue Jun 21 16:19:25 2011
@@ -4,7 +4,7 @@
use strict;
use 5.008_001;
-our $VERSION = '0.38';
+our $VERSION = '0.39';
BEGIN {
@XML::Atom::EXPORT = qw( LIBXML DATETIME);
@@ -33,6 +33,26 @@
$XML::Atom::ForceUnicode = 0;
$XML::Atom::DefaultVersion = 0.3;
+}
+
+sub libxml_parser {
+ ## uses old XML::LibXML < 1.70 interface for compat reasons
+ return XML::LibXML->new(
+ #no_network => 1, # v1.63+
+ expand_xinclude => 0,
+ expand_entities => 1,
+ load_ext_dtd => 0,
+ ext_ent_handler => sub { warn "External entities disabled."; '' },
+ );
+}
+
+sub expat_parser {
+ return XML::Parser->new(
+ Handlers => {
+ ExternEnt => sub { warn "External Entities disabled."; '' },
+ ExternEntFin => sub {},
+ },
+ );
}
use base qw( XML::Atom::ErrorHandler Exporter );
Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Client.pm Tue Jun 21 16:19:25 2011
@@ -188,7 +188,7 @@
if ($client->use_soap && (my $xml = $res->content)) {
my $doc;
if (LIBXML) {
- my $parser = XML::LibXML->new;
+ my $parser = $client->libxml_parser;
$doc = $parser->parse_string($xml);
} else {
my $xp = XML::XPath->new(xml => $xml);
@@ -218,6 +218,8 @@
}
}
+sub libxml_parser { XML::Atom->libxml_parser }
+
package LWP::UserAgent::AtomClient;
use strict;
use Scalar::Util;
Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Content.pm Tue Jun 21 16:19:25 2011
@@ -54,11 +54,12 @@
my $node;
eval {
if (LIBXML) {
- my $parser = XML::LibXML->new;
+ my $parser = XML::Atom->libxml_parser;
my $tree = $parser->parse_string($copy);
$node = $tree->getDocumentElement;
} else {
- my $xp = XML::XPath->new(xml => $copy);
+ my $parser = XML::Atom->expat_parser;
+ my $xp = XML::XPath->new(xml => $copy, parser => $parser);
$node = (($xp->find('/')->get_nodelist)[0]->getChildNodes)[0]
if $xp;
}
Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Server.pm Tue Jun 21 16:19:25 2011
@@ -284,7 +284,7 @@
my $server = shift;
unless (exists $server->{xml_body}) {
if (LIBXML) {
- my $parser = XML::LibXML->new;
+ my $parser = $server->libxml_parser;
$server->{xml_body} =
$parser->parse_string($server->request_content);
} else {
@@ -308,6 +308,8 @@
}
$atom;
}
+
+sub libxml_parser { XML::Atom->libxml_parser }
1;
__END__
Modified: branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm?rev=76216&op=diff
==============================================================================
--- branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm (original)
+++ branches/upstream/libxml-atom-perl/current/lib/XML/Atom/Thing.pm Tue Jun 21 16:19:25 2011
@@ -22,7 +22,7 @@
my $atom = shift;
my %param = @_ == 1 ? (Stream => $_[0]) : @_;
if (my $stream = delete $param{Stream}) {
- my $parser = XML::LibXML->new;
+ my $parser = delete $param{Parser} || XML::Atom->libxml_parser;
my $doc;
if (ref($stream) eq 'SCALAR') {
$doc = $parser->parse_string($$stream);
@@ -50,13 +50,14 @@
my %param = @_ == 1 ? (Stream => $_[0]) : @_;
my $elem_name = $atom->element_name;
if (my $stream = delete $param{Stream}) {
+ my $parser = delete $param{Parser} || XML::Atom->expat_parser;
my $xp;
if (ref($stream) eq 'SCALAR') {
- $xp = XML::XPath->new(xml => $$stream);
+ $xp = XML::XPath->new(xml => $$stream, parser => $parser);
} elsif (ref($stream)) {
- $xp = XML::XPath->new(ioref => $stream);
+ $xp = XML::XPath->new(ioref => $stream, parser => $parser);
} else {
- $xp = XML::XPath->new(filename => $stream);
+ $xp = XML::XPath->new(filename => $stream, parser => $parser);
}
my $set = $xp->find('/' . $elem_name);
unless ($set && $set->size) {
Added: branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t?rev=76216&op=file
==============================================================================
--- branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t (added)
+++ branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t Tue Jun 21 16:19:25 2011
@@ -1,0 +1,58 @@
+use strict;
+use Test::More;
+
+use XML::Atom::Entry;
+use FindBin;
+my $filepath = "$FindBin::Bin/samples/entry-ns.xml";
+
+BEGIN {
+ unless (eval { require XML::LibXML }) {
+ plan skip_all => 'LibXML required for this test';
+ }
+}
+plan tests => 4;
+
+my $xml = <<"EOX";
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE entry [
+<!ENTITY ref SYSTEM "file://$filepath">
+]>
+ <entry xmlns="http://purl.org/atom/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+ <title>Guest Author</title>
+ <link rel="alternate" type="text/html" href="http://ben.stupidfool.org/typepad/2003/07/guest_author.html" />
+ <link rel="service.edit" title="Edit" type="application/x.atom+xml" href="http://www.example.com/atom/entry_id=75207" />
+ <id>tag:typepad.com:post:75207</id>
+ <issued>2003-07-21T02:47:34-07:00</issued>
+ <modified>2003-08-22T18:36:57-07:00</modified>
+ <created>2003-07-21T02:47:34-07:00</created>
+ <summary>No, Ben isn't updating. It's me testing out guest author functionality....</summary>
+ <author>
+ <name>Mena</name>
+ <url>http://mena.typepad.com/</url>
+ </author>
+ <dc:subject>Food</dc:subject>
+ <dc:subject>Cats</dc:subject>
+ <content type="text/html" xml:lang="en-us">&ref;
+<div xmlns="http://www.w3.org/1999/xhtml"><p>No, Ben isn't updating. It's me testing out guest author functionality.</p></div>
+</content>
+ </entry>
+EOX
+
+## default sane parser
+{
+ my $entry = XML::Atom::Entry->new(Stream => \$xml);
+ is $entry->title, "Guest Author", "got title";
+ my $content = $entry->content->body;
+ unlike $content, qr/This is what you get when you do unit testing/,
+ "ignored entity";
+}
+
+## custom parser
+{
+ my $libxml = XML::LibXML->new;
+ my $entry = XML::Atom::Entry->new(Stream => \$xml, Parser => $libxml);
+ is $entry->title, "Guest Author", "got title";
+ my $content = $entry->content->body;
+ like $content, qr/This is what you get when you do unit testing/,
+ "resolved entity";
+}
Added: branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t?rev=76216&op=file
==============================================================================
--- branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t (added)
+++ branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t Tue Jun 21 16:19:25 2011
@@ -1,0 +1,70 @@
+use strict;
+use Test::More;
+
+BEGIN {
+ unless (eval { require XML::XPath }) {
+ plan skip_all => 'XML::XPath required for this test';
+ }
+}
+
+plan tests => 4;
+BEGIN {
+ ## hardcore, because XML::Atom doesn't make it easy to change it at
+ ## runtime
+ require XML::Atom;
+ if (XML::Atom->LIBXML) {
+ no strict 'refs';
+ diag "XPath Override in place";
+ *{XML::Atom::LIBXML} = sub() {0};
+ }
+}
+
+use XML::Parser;
+use XML::Atom::Entry;
+use FindBin;
+my $filepath = "$FindBin::Bin/samples/entry-ns.xml";
+
+my $xml = <<"EOX";
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE entry [
+<!ENTITY ref SYSTEM "file://$filepath">
+]>
+ <entry xmlns="http://purl.org/atom/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+ <title>Guest Author</title>
+ <link rel="alternate" type="text/html" href="http://ben.stupidfool.org/typepad/2003/07/guest_author.html" />
+ <link rel="service.edit" title="Edit" type="application/x.atom+xml" href="http://www.example.com/atom/entry_id=75207" />
+ <id>tag:typepad.com:post:75207</id>
+ <issued>2003-07-21T02:47:34-07:00</issued>
+ <modified>2003-08-22T18:36:57-07:00</modified>
+ <created>2003-07-21T02:47:34-07:00</created>
+ <summary>No, Ben isn't updating. It's me testing out guest author functionality....</summary>
+ <author>
+ <name>Mena</name>
+ <url>http://mena.typepad.com/</url>
+ </author>
+ <dc:subject>Food</dc:subject>
+ <dc:subject>Cats</dc:subject>
+ <content type="text/html" xml:lang="en-us">&ref;
+<div xmlns="http://www.w3.org/1999/xhtml"><p>No, Ben isn't updating. It's me testing out guest author functionality.</p></div>
+</content>
+ </entry>
+EOX
+
+## Sane default
+{
+ my $entry = XML::Atom::Entry->new(Stream => \$xml);
+ is $entry->title, "Guest Author", "got title";
+ my $content = $entry->content->body;
+ unlike $content, qr/This is what you get when you do unit testing/,
+ "ignored entity";
+}
+
+## custom parser
+{
+ my $parser = XML::Parser->new(); # no option
+ my $entry = XML::Atom::Entry->new(Stream => \$xml, Parser => $parser);
+ is $entry->title, "Guest Author", "got title";
+ my $content = $entry->content->body;
+ like $content, qr/This is what you get when you do unit testing/,
+ "resolved entity";
+}
More information about the Pkg-perl-cvs-commits
mailing list