File perl-XML-Twig-no_xxe.patch of Package perl-XML-Twig.15795

Overview Repositories Revisions Requests Users Attributes Meta

File perl-XML-Twig-no_xxe.patch of Package perl-XML-Twig.15795

diff -Ppuri XML-Twig-3.44/Twig.pm XML-Twig-3.50/Twig.pm
--- XML-Twig-3.44/Twig.pm	2013-02-11 17:30:09.000000000 +0100
+++ XML-Twig-3.50/Twig.pm	2016-11-22 15:46:37.000000000 +0100
@@ -515,6 +539,10 @@ sub new
 
     if( !$args{NoLWP} && ! _use( 'URI') && ! _use( 'URI::File') && ! _use( 'LWP'))
       { $self->{twig_ext_ent_handler}= \&XML::Parser::initial_ext_ent_handler }
+    elsif( $args{NoXxe})
+      { $self->{twig_ext_ent_handler}= 
+          sub { my($xp, $base, $path) = @_; $xp->{ErrorMessage}.= "cannot use entities in document when the no_xxe option is on"; return undef; }; 
+      }
     else
       { $self->{twig_ext_ent_handler}= \&XML::Parser::file_ext_ent_handler }
 
@@ -10283,6 +10661,18 @@ subroutine) as the argument, this subrou
 by XML::Parser::Expat C<original_string()> method) and returns a tag and the
 attributes in a hash (or in a list attribute_name/attribute value).
 
+=item no_xxe
+
+prevents external entities to be parsed. 
+
+This is a security feature, in case the input XML cannot be trusted. With this
+option set to a true value defining external entities in the document will cause
+the parse to fail.  
+
+This prevents an entity like C<< <!ENTITY xxe PUBLIC "bar" "/etc/passwd"> >> to
+make the password fiel available in the document.
+
+
 =item expand_external_ents
 
 When this option is used external entities (that are defined) are expanded
diff -Ppuri XML-Twig-3.44/Twig_pm.slow XML-Twig-3.50/Twig_pm.slow
--- XML-Twig-3.44/Twig_pm.slow	2013-02-11 17:28:16.000000000 +0100
+++ XML-Twig-3.50/Twig_pm.slow	2016-11-22 15:31:20.000000000 +0100
@@ -383,7 +407,7 @@ my $css_sel=0; # set through the css_sel
       TopDownHandlers       => 1,
       KeepEncoding          => 1, DoNotEscapeAmpInAtts  => 1,
       ParseStartTag         => 1, KeepAttsOrder         => 1,
-      LoadDTD               => 1, DTDHandler            => 1,
+      LoadDTD               => 1, DTDHandler            => 1, DTDBase => 1, NoXxe => 1,
       DoNotOutputDTD        => 1, NoProlog              => 1,
       ExpandExternalEnts    => 1,
       DiscardSpaces         => 1, KeepSpaces            => 1, DiscardAllSpaces => 1,
@@ -515,6 +539,10 @@ sub new
 
     if( !$args{NoLWP} && ! _use( 'URI') && ! _use( 'URI::File') && ! _use( 'LWP'))
       { $self->{twig_ext_ent_handler}= \&XML::Parser::initial_ext_ent_handler }
+    elsif( $args{NoXxe})
+      { $self->{twig_ext_ent_handler}= 
+          sub { my($xp, $base, $path) = @_; $xp->{ErrorMessage}.= "cannot use entities in document when the no_xxe option is on"; return undef; }; 
+      }
     else
       { $self->{twig_ext_ent_handler}= \&XML::Parser::file_ext_ent_handler }
 
@@ -10285,6 +10661,18 @@ subroutine) as the argument, this subrou
 by XML::Parser::Expat C<original_string()> method) and returns a tag and the
 attributes in a hash (or in a list attribute_name/attribute value).
 
+=item no_xxe
+
+prevents external entities to be parsed. 
+
+This is a security feature, in case the input XML cannot be trusted. With this
+option set to a true value defining external entities in the document will cause
+the parse to fail.  
+
+This prevents an entity like C<< <!ENTITY xxe PUBLIC "bar" "/etc/passwd"> >> to
+make the password fiel available in the document.
+
+
 =item expand_external_ents
 
 When this option is used external entities (that are defined) are expanded

Places

File perl-XML-Twig-no_xxe.patch of Package perl-XML-Twig.15795

Places