organicmaps/libexpat
13
Fork 0
mirror of https://github.com/libexpat/libexpat.git synced 2025-04-10 15:01:12 +00:00
Code Issues 1 Projects Releases Wiki Activity Actions
4160 commits 3 branches 65 tags 40 MiB
Commit graph

4160 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sebastian Pipping
fa75b96546
Merge pull request #843 from libexpat/issue-838-prepare-release 
Prepare release 2.6.2 (part of #838, ETA 2024-03-13)
 2024-03-13 17:37:37 +01:00
Sebastian Pipping
8548bc03fd Changes: Add call for help 2024-03-13 14:37:05 +01:00
Sebastian Pipping
86d6052c5e Set release date for 2.6.2 2024-03-13 14:37:05 +01:00
Sebastian Pipping
13cff445fa Bump version to 2.6.2 2024-03-13 14:37:05 +01:00
Sebastian Pipping
557f1255f9 Bump version info from 10:1:9 to 10:2:9 
See https://verbump.de/ for what these numbers do
 2024-03-13 14:37:05 +01:00
Sebastian Pipping
98ee1baef8 Changes: Document changes in release Expat 2.6.2 2024-03-13 14:37:05 +01:00
Sebastian Pipping
5bf8ed66ef
Merge pull request #847 from TomasKorbar/doc-makefile 
[2.6.1] Fix DOCBOOK_TO_MAN variable use in doc Makefile
 2024-03-13 14:22:48 +01:00
Tomas Korbar
c32ed08191 Fix DOCBOOK_TO_MAN variable use in doc Makefile 
Not using quotes causes problems when DOCBOOK_TO_MAN contains
command and argument
 2024-03-13 11:01:52 +01:00
Sebastian Pipping
5026213864
Merge pull request #842 from libexpat/issue-839-billion-laughs-isolated-external-parser 
Prevent billion laughs attacks in isolated external parser (part of #839)
 2024-03-07 22:14:09 +01:00
Sebastian Pipping
27525adabd
Merge pull request #841 from libexpat/issue-839-reject-direct-parameter-entity-recursion 
Reject direct parameter entity recursion (part of #839)
 2024-03-07 20:24:13 +01:00
Sebastian Pipping
072eca0b72 tests: Cover amplification tracking for isolated external parser 2024-03-06 23:41:33 +01:00
Sebastian Pipping
1d50b80cf3 lib/xmlparse.c: Detect billion laughs attack with isolated external parser 
When parsing DTD content with code like ..

  XML_Parser parser = XML_ParserCreate(NULL);
  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);

.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input.  As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.

The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".

GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
 2024-03-06 23:41:07 +01:00
Sebastian Pipping
565ab44a42 tests: Cover rejection of direct parameter entity recursion 2024-03-06 22:34:26 +01:00
Sebastian Pipping
a4c86a395e lib/xmlparse.c: Reject directly recursive parameter entities 2024-03-06 22:34:26 +01:00
Sebastian Pipping
6bcb991574
Merge pull request #837 from libexpat/extend-2-6-1-change-log 
Add missing #821 #824 to 2.6.1 change log
 2024-03-01 20:15:09 +01:00
Sebastian Pipping
8f75c53615 Changes: Add missing #821 #824 to 2.6.1 change log 2024-02-29 22:09:53 +01:00
Sebastian Pipping
a590b2d584
Merge pull request #834 from libexpat/issue-832-prepare-release 
Prepare release 2.6.1 (part of #832, ETA 2024-02-29)
 2024-02-29 21:19:01 +01:00
Sebastian Pipping
1cf882e79c
Merge pull request #836 from libexpat/issue-828-expose-billion-laughs-api-with-xml-dtd-without-xml-ge 
Expose billion laughs API with `XML_DTD` without `XML_GE` (fixes #828)
 2024-02-29 20:07:11 +01:00
Sebastian Pipping
58ff7c39ea Sync file headers 2024-02-28 23:41:43 +01:00
Sebastian Pipping
fce4b9f3b3 Set release date for 2.6.1 2024-02-28 23:41:42 +01:00
Sebastian Pipping
dfe043fe6a Bump version to 2.6.1 2024-02-28 23:41:31 +01:00
Sebastian Pipping
fbe7b9345b Bump version info from 10:0:9 to 10:1:9 
See https://verbump.de/ for what these numbers do
 2024-02-28 23:41:31 +01:00
Sebastian Pipping
3dc137ea05 Changes: Document changes in release Expat 2.6.1 2024-02-28 23:41:29 +01:00
Sebastian Pipping
ea52834709 doc/reference.html: Drop inaccurate statement about XML_* macros 
The statement is falsified by these macros:
- XML_ATTR_INFO
- XML_DTD
- XML_GE
 2024-02-28 20:47:45 +01:00
Sebastian Pipping
1e028f2ef7 lib/expat.h: Expose billion laughs API for XML_DTD without XML_GE 
Regression from commit caa2719863 .
 2024-02-28 20:47:45 +01:00
Sebastian Pipping
a387201ca4
Merge pull request #833 from libexpat/configure-ac-protect-multilib 
`configure.ac`: Protect against `expat_config.h.in` defining `SIZEOF_VOID_P`
 2024-02-28 00:55:34 +01:00
Sebastian Pipping
0106682ea6 configure.ac: Protect against expat_config.h.in defining SIZEOF_VOID_P 2024-02-27 00:33:53 +01:00
Sebastian Pipping
9dcb74f552
Merge pull request #829 from libexpat/hide-test-only-code-behind-new-macro 
Hide test-only code behind new (internal) macro `XML_TESTING` (alternative to #826)
 2024-02-26 21:41:30 +01:00
Sebastian Pipping
7e2a0da9ba lib: Hide some test-only code behind new macro XML_TESTING 2024-02-21 13:07:35 +01:00
Sebastian Pipping
a4a420eedc Autotools: Turn libexpatinternal.la into standalone library 
.. so that we can now have code in say xmlparse.c that does not
end up in libexpat.so but still runs when executing the test suite.
 2024-02-21 12:53:03 +01:00
Sebastian Pipping
5b940f4a65
Merge pull request #824 from libexpat/issue-821-improve-make-clean-for-configure-without-docbook 
Autotools: Re-work handling of xmlwf.1 (fixes #821)
 2024-02-20 20:40:41 +01:00
Sebastian Pipping
0f6b39d2f5 Autotools: Re-work handling of xmlwf.1 
File "doc/xmlwf.1" should not be cleaned when building with
"./configure --without-docbook", and re-compilation of the file
should take precedence over a pre-built copy where available.

Also, variable CLEANFILES can be used to simplify things a bit
in Makefile.am.
 2024-02-13 20:12:15 +01:00
Sebastian Pipping
b7e1a11011
Merge pull request #817 from SonyMobile/clockless-test 
tests: Replace clock counting with counting scanned bytes
 2024-02-13 18:30:35 +01:00
Snild Dolkow
dc8499f295 tests: Replace clock counting with scanned bytes in linear-time test 
This removes the dependency on CLOCKS_PER_SEC that prevented this test
from running properly on some platforms, as well as the inherent
flakiness of time measurements.

Since later commits have introduced g_bytesScanned (and before that,
g_parseAttempts), we can use that value as a proxy for parse time
instead of clock().
 2024-02-13 14:05:44 +01:00
Snild Dolkow
fe0177cd3f tests: Replace g_parseAttempts with g_bytesScanned 
This was used to estimate the number of scanned bytes. Just exposing
that number directly will be more precise.
 2024-02-13 13:57:35 +01:00
Sebastian Pipping
4ff4c544aa
Merge pull request #820 from libexpat/dependabot/github_actions/actions/upload-artifact-4.3.1 
Actions(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1
 2024-02-12 14:52:18 +01:00
dependabot[bot]
aed1ed769d
Actions(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](26f96dfa69...5d5d22a312)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-02-12 12:09:58 +00:00
Sebastian Pipping
226201d10d
Merge pull request #819 from th1722/patch-1 
Fix compiler warnings
 2024-02-11 16:45:16 +01:00
Taichi Haradaguchi
3f60a47cb5 Fix compiler warnings 
> In file included from ./../lib/internal.h:149,
>                  from codepage.c:38:
> ./../lib/expat.h:1045:5: warning: "XML_GE" is not defined, evaluates to 0 [-Wundef]
>  1045 | #if XML_GE == 1
>       |     ^~~~~~
> ./../lib/internal.h:158:5: warning: "XML_GE" is not defined, evaluates to 0 [-Wundef]
>   158 | #if XML_GE == 1
>       |     ^~~~~~
 2024-02-10 23:08:03 +09:00
Sebastian Pipping
4033d6dc57
Merge pull request #818 from libexpat/fix-clang-format-ci 
Get clang-format CI back in sync
 2024-02-08 17:24:26 +01:00
clang-format 18.1.0
d4f958e345 Mass-apply clang-format 18.1.0 2024-02-08 15:21:53 +01:00
Sebastian Pipping
849da3e3fe
Merge pull request #776 from libexpat/issue-775-prepare-release 
Prepare release 2.6.0 (part of #775, ETA is 2024-02-07)
 2024-02-06 17:49:41 +01:00
Sebastian Pipping
2a10e173ab Sync file headers 2024-02-06 14:13:00 +01:00
Sebastian Pipping
92f10eb800 .mailmap: Add Joyce Brum and Owain Davies 2024-02-06 14:08:05 +01:00
Sebastian Pipping
b5ae2481b0 Set release date for 2.6.0 2024-02-06 14:08:05 +01:00
Sebastian Pipping
310a1977f4 Bump version to 2.6.0 2024-02-06 14:08:05 +01:00
Sebastian Pipping
b9fd465231 Bump version info from 9:10:8 to 10:0:9 
See https://verbump.de/ for what these numbers do
 2024-02-06 14:08:05 +01:00
Sebastian Pipping
ae06168b64 Changes: Document changes in release Expat 2.6.0 2024-02-06 14:08:05 +01:00
Sebastian Pipping
8198e4bfed
Merge pull request #815 from libexpat/fix-pkg-config-file-for-static-build-on-windows 
pkg-config: Add missing `-DXML_STATIC` for Windows (alternative to #805)
 2024-02-06 11:09:42 +01:00
Sebastian Pipping
9c16d1c5b4 pkg-config: Add missing -DXML_STATIC (for Windows) 
This affects the output of command "pkg-config --cflags --static expat".
 2024-02-06 00:17:30 +01:00