Hi all https://github.com/apache/ant-ivy/pull/111 made me dig a bit deeper into Ivy's XML handling, which is a bit strange given I was involved in fixing CVE-2022-46751 :-)
Currently the XML parser works under the assumption the default namespace of an Ivy module was Ivy's. So it considers <ivy-module version="1.0" xmlns="https://example.org/foo";> <info organisation="myorg" module="mymodule" /> </ivy-module> a valid module, as long as I disable XML validation (which is a separate issue of its own). On the other hand it believes <ivy:ivy-module version="1.0" xmlns:ivy="http://ant.apache.org/ivy/schemas/ivy.xsd";> <ivy:info ivy:organisation="myorg" ivy:module="mymodule" /> </ivy:ivy-module> to not be a valid Ivy module. I'm afraid fixing the first issue might break backwards compatibility but I'm going to work on a PR fixing the second. This may require rethinking the way XmlHelper handles the "validate" property as it currently assumes the root namespace to be Ivy's. I'm not sure how long it is going to take me to finish this. When writing XML descriptors I believe XML namespace handling is wrong as well (at least in the update case) and I'll address this separately when I reach my next open source timeslice. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
