r76218 - in /trunk/libxml-atom-perl: Changes MANIFEST META.yml debian/changelog lib/XML/Atom.pm lib/XML/Atom/Client.pm lib/XML/Atom/Content.pm lib/XML/Atom/Server.pm lib/XML/Atom/Thing.pm t/31-external-entities-libxml.t t/31-external-entities-xpath.t

ansgar at users.alioth.debian.org ansgar at users.alioth.debian.org
Tue Jun 21 16:23:22 UTC 2011


Author: ansgar
Date: Tue Jun 21 16:23:20 2011
New Revision: 76218

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=76218
Log:
* Team upload.
* New upstream release.

Added:
    trunk/libxml-atom-perl/t/31-external-entities-libxml.t
      - copied unchanged from r76217, branches/upstream/libxml-atom-perl/current/t/31-external-entities-libxml.t
    trunk/libxml-atom-perl/t/31-external-entities-xpath.t
      - copied unchanged from r76217, branches/upstream/libxml-atom-perl/current/t/31-external-entities-xpath.t
Modified:
    trunk/libxml-atom-perl/Changes
    trunk/libxml-atom-perl/MANIFEST
    trunk/libxml-atom-perl/META.yml
    trunk/libxml-atom-perl/debian/changelog
    trunk/libxml-atom-perl/lib/XML/Atom.pm
    trunk/libxml-atom-perl/lib/XML/Atom/Client.pm
    trunk/libxml-atom-perl/lib/XML/Atom/Content.pm
    trunk/libxml-atom-perl/lib/XML/Atom/Server.pm
    trunk/libxml-atom-perl/lib/XML/Atom/Thing.pm

Modified: trunk/libxml-atom-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/Changes?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/Changes (original)
+++ trunk/libxml-atom-perl/Changes Tue Jun 21 16:23:20 2011
@@ -1,6 +1,9 @@
 $Id$
 
 Revision history for XML::Atom
+
+0.39  2011.06.20
+    * Disabled external entities and network to avoid possible security flaw (yannk)
 
 0.38  2011.05.22
     * Fixed a bug where content with newlines wasn't encoded in perl >= 5.12 (emasaka)

Modified: trunk/libxml-atom-perl/MANIFEST
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/MANIFEST?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/MANIFEST (original)
+++ trunk/libxml-atom-perl/MANIFEST Tue Jun 21 16:23:20 2011
@@ -49,6 +49,8 @@
 t/28-ext.t
 t/29-source.t
 t/30-datetime-stringification.t
+t/31-external-entities-libxml.t
+t/31-external-entities-xpath.t
 t/samples/atom-1.0.xml
 t/samples/entry-euc.xml
 t/samples/entry-full.xml

Modified: trunk/libxml-atom-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/META.yml?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/META.yml (original)
+++ trunk/libxml-atom-perl/META.yml Tue Jun 21 16:23:20 2011
@@ -30,4 +30,4 @@
 resources:
   license: http://dev.perl.org/licenses/
   repository: git://github.com/miyagawa/xml-atom.git
-version: 0.38
+version: 0.39

Modified: trunk/libxml-atom-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/debian/changelog?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/debian/changelog (original)
+++ trunk/libxml-atom-perl/debian/changelog Tue Jun 21 16:23:20 2011
@@ -1,3 +1,10 @@
+libxml-atom-perl (0.39-1) unstable; urgency=low
+
+  * Team upload.
+  * New upstream release.
+
+ -- Ansgar Burchardt <ansgar at debian.org>  Tue, 21 Jun 2011 18:22:39 +0200
+
 libxml-atom-perl (0.38-1) unstable; urgency=low
 
   * Team upload.

Modified: trunk/libxml-atom-perl/lib/XML/Atom.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/lib/XML/Atom.pm?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/lib/XML/Atom.pm (original)
+++ trunk/libxml-atom-perl/lib/XML/Atom.pm Tue Jun 21 16:23:20 2011
@@ -4,7 +4,7 @@
 use strict;
 
 use 5.008_001;
-our $VERSION = '0.38';
+our $VERSION = '0.39';
 
 BEGIN {
     @XML::Atom::EXPORT = qw( LIBXML DATETIME);
@@ -33,6 +33,26 @@
 
     $XML::Atom::ForceUnicode = 0;
     $XML::Atom::DefaultVersion = 0.3;
+}
+
+sub libxml_parser {
+    ## uses old XML::LibXML < 1.70 interface for compat reasons
+    return XML::LibXML->new(
+        #no_network      => 1, # v1.63+
+        expand_xinclude => 0,
+        expand_entities => 1,
+        load_ext_dtd    => 0,
+        ext_ent_handler => sub { warn "External entities disabled."; '' },
+    );
+}
+
+sub expat_parser {
+    return XML::Parser->new(
+        Handlers => {
+            ExternEnt => sub { warn "External Entities disabled."; '' },
+            ExternEntFin => sub {},
+        },
+    );
 }
 
 use base qw( XML::Atom::ErrorHandler Exporter );

Modified: trunk/libxml-atom-perl/lib/XML/Atom/Client.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/lib/XML/Atom/Client.pm?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/lib/XML/Atom/Client.pm (original)
+++ trunk/libxml-atom-perl/lib/XML/Atom/Client.pm Tue Jun 21 16:23:20 2011
@@ -188,7 +188,7 @@
     if ($client->use_soap && (my $xml = $res->content)) {
         my $doc;
         if (LIBXML) {
-            my $parser = XML::LibXML->new;
+            my $parser = $client->libxml_parser;
             $doc = $parser->parse_string($xml);
         } else {
             my $xp = XML::XPath->new(xml => $xml);
@@ -218,6 +218,8 @@
     }
 }
 
+sub libxml_parser { XML::Atom->libxml_parser }
+
 package LWP::UserAgent::AtomClient;
 use strict;
 use Scalar::Util;

Modified: trunk/libxml-atom-perl/lib/XML/Atom/Content.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/lib/XML/Atom/Content.pm?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/lib/XML/Atom/Content.pm (original)
+++ trunk/libxml-atom-perl/lib/XML/Atom/Content.pm Tue Jun 21 16:23:20 2011
@@ -54,11 +54,12 @@
             my $node;
             eval {
                 if (LIBXML) {
-                    my $parser = XML::LibXML->new;
+                    my $parser = XML::Atom->libxml_parser;
                     my $tree = $parser->parse_string($copy);
                     $node = $tree->getDocumentElement;
                 } else {
-                    my $xp = XML::XPath->new(xml => $copy);
+                    my $parser = XML::Atom->expat_parser;
+                    my $xp = XML::XPath->new(xml => $copy, parser => $parser);
                     $node = (($xp->find('/')->get_nodelist)[0]->getChildNodes)[0]
                         if $xp;
                 }

Modified: trunk/libxml-atom-perl/lib/XML/Atom/Server.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/lib/XML/Atom/Server.pm?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/lib/XML/Atom/Server.pm (original)
+++ trunk/libxml-atom-perl/lib/XML/Atom/Server.pm Tue Jun 21 16:23:20 2011
@@ -284,7 +284,7 @@
     my $server = shift;
     unless (exists $server->{xml_body}) {
         if (LIBXML) {
-            my $parser = XML::LibXML->new;
+            my $parser = $server->libxml_parser;
             $server->{xml_body} =
                 $parser->parse_string($server->request_content);
         } else {
@@ -308,6 +308,8 @@
     }
     $atom;
 }
+
+sub libxml_parser { XML::Atom->libxml_parser }
 
 1;
 __END__

Modified: trunk/libxml-atom-perl/lib/XML/Atom/Thing.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libxml-atom-perl/lib/XML/Atom/Thing.pm?rev=76218&op=diff
==============================================================================
--- trunk/libxml-atom-perl/lib/XML/Atom/Thing.pm (original)
+++ trunk/libxml-atom-perl/lib/XML/Atom/Thing.pm Tue Jun 21 16:23:20 2011
@@ -22,7 +22,7 @@
     my $atom = shift;
     my %param = @_ == 1 ? (Stream => $_[0]) : @_;
     if (my $stream = delete $param{Stream}) {
-        my $parser = XML::LibXML->new;
+        my $parser = delete $param{Parser} || XML::Atom->libxml_parser;
         my $doc;
         if (ref($stream) eq 'SCALAR') {
             $doc = $parser->parse_string($$stream);
@@ -50,13 +50,14 @@
     my %param = @_ == 1 ? (Stream => $_[0]) : @_;
     my $elem_name = $atom->element_name;
     if (my $stream = delete $param{Stream}) {
+        my $parser = delete $param{Parser} || XML::Atom->expat_parser;
         my $xp;
         if (ref($stream) eq 'SCALAR') {
-            $xp = XML::XPath->new(xml => $$stream);
+            $xp = XML::XPath->new(xml => $$stream, parser => $parser);
         } elsif (ref($stream)) {
-            $xp = XML::XPath->new(ioref => $stream);
+            $xp = XML::XPath->new(ioref => $stream, parser => $parser);
         } else {
-            $xp = XML::XPath->new(filename => $stream);
+            $xp = XML::XPath->new(filename => $stream, parser => $parser);
         }
         my $set = $xp->find('/' . $elem_name);
         unless ($set && $set->size) {




More information about the Pkg-perl-cvs-commits mailing list