On Thu, Oct 5, 2017 at 5:09 AM, Bert Huijben <b...@qqmail.nl> wrote: > Both Serf and Subversion default to using the shared library version of > apr, but have a flag to switch to using the static library version. > > > > Subversion uses the expat apis directly, and both serf and subversion > hardcode ‘xml.lib’ in their buildscripts. Subversion has a hack to also > support libexpat.lib for some other builds (probably recently added for > somebody using the makefile build). We define ‘XML_STATIC’ in both shared > and static library cases. >
The only risk to this is data pointers, which aren't handled as PIC, so they may not be relocatable, and the text page has historically not been fixed up, leading to segfaults in certain circumstances. The converse, omitting XML_STATIC may lead to "Exported symbols imported" in the static case, which indicates that pic relocation table was used when not needed. The later is preferable to the former. Cleaning up inappropriate references to XML_STATIC would be a good idea for the dynamic lib, that is a very unwise declaration. When it is using a shared lib of apr by default, the shared libexpat.lib and .dll is certainly preferable, simpler to substitute a fixed version of a vulnerable so. And to avoid linking static expat to libapr, then libapr + static expat into svn components.
