Hello community, here is the log from the commit of package perl-XML-Simple for openSUSE:Factory checked in at 2018-03-26 11:52:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-XML-Simple (Old) and /work/SRC/openSUSE:Factory/.perl-XML-Simple.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-XML-Simple" Mon Mar 26 11:52:31 2018 rev:26 rq:588468 version:2.25 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-XML-Simple/perl-XML-Simple.changes 2017-04-25 08:57:33.624415937 +0200 +++ /work/SRC/openSUSE:Factory/.perl-XML-Simple.new/perl-XML-Simple.changes 2018-03-26 11:52:33.521554721 +0200 @@ -1,0 +2,11 @@ +Sun Mar 18 07:04:20 UTC 2018 - [email protected] + +- updated to 2.25 + see /usr/share/doc/packages/perl-XML-Simple/Changes + + 2.25 2018-03-18 16:18:24+13:00 Pacific/Auckland + - disable entity expansion when using XML::Parser, for more secure default + behaviour (patch from Ray Morris) + - call to XML::Parser constructor is now in its own method to ease overriding + +------------------------------------------------------------------- Old: ---- XML-Simple-2.24.tar.gz New: ---- XML-Simple-2.25.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-XML-Simple.spec ++++++ --- /var/tmp/diff_new_pack.qYJfKQ/_old 2018-03-26 11:52:34.389523408 +0200 +++ /var/tmp/diff_new_pack.qYJfKQ/_new 2018-03-26 11:52:34.393523263 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-XML-Simple # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,11 +17,11 @@ Name: perl-XML-Simple -Version: 2.24 +Version: 2.25 Release: 0 %define cpan_name XML-Simple Summary: An API for simple XML files -License: Artistic-1.0 or GPL-1.0+ +License: Artistic-1.0 OR GPL-1.0-or-later Group: Development/Libraries/Perl Url: http://search.cpan.org/dist/XML-Simple/ Source0: https://cpan.metacpan.org/authors/id/G/GR/GRANTM/%{cpan_name}-%{version}.tar.gz ++++++ XML-Simple-2.24.tar.gz -> XML-Simple-2.25.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/Changes new/XML-Simple-2.25/Changes --- old/XML-Simple-2.24/Changes 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/Changes 2018-03-18 04:18:27.000000000 +0100 @@ -1,5 +1,10 @@ Revision history for XML-Simple +2.25 2018-03-18 16:18:24+13:00 Pacific/Auckland + - disable entity expansion when using XML::Parser, for more secure default + behaviour (patch from Ray Morris) + - call to XML::Parser constructor is now in its own method to ease overriding + 2.24 2017-04-17 16:12:00+12:00 Pacific/Auckland - fix typo in last commit with mistakenly removed some underscores - don't initialise $XML::Simple::PREFERRED_PARSER to undef as a caller may diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/LICENSE new/XML-Simple-2.25/LICENSE --- old/XML-Simple-2.24/LICENSE 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/LICENSE 2018-03-18 04:18:27.000000000 +0100 @@ -1,4 +1,4 @@ -This software is copyright (c) 2015 by Grant McLean. +This software is copyright (c) 2018 by Grant McLean. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. @@ -12,7 +12,7 @@ --- The GNU General Public License, Version 1, February 1989 --- -This software is Copyright (c) 2015 by Grant McLean. +This software is Copyright (c) 2018 by Grant McLean. This is free software, licensed under: @@ -272,7 +272,7 @@ --- The Artistic License 1.0 --- -This software is Copyright (c) 2015 by Grant McLean. +This software is Copyright (c) 2018 by Grant McLean. This is free software, licensed under: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/MANIFEST new/XML-Simple-2.25/MANIFEST --- old/XML-Simple-2.24/MANIFEST 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/MANIFEST 2018-03-18 04:18:27.000000000 +0100 @@ -22,6 +22,7 @@ t/9_Strict.t t/A_XMLParser.t t/B_Hooks.t +t/C_External_Entities.t t/author-pod-syntax.t t/desertnet.src t/lib/TagsToUpper.pm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/META.json new/XML-Simple-2.25/META.json --- old/XML-Simple-2.24/META.json 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/META.json 2018-03-18 04:18:27.000000000 +0100 @@ -34,6 +34,7 @@ }, "test" : { "requires" : { + "File::Temp" : "0", "Test::More" : "0.88" } } @@ -46,6 +47,6 @@ "web" : "https://github.com/grantm/xml-simple"; } }, - "version" : "2.24" + "version" : "2.25" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/META.yml new/XML-Simple-2.25/META.yml --- old/XML-Simple-2.24/META.yml 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/META.yml 2018-03-18 04:18:27.000000000 +0100 @@ -3,6 +3,7 @@ author: - 'Grant McLean <[email protected]>' build_requires: + File::Temp: '0' Test::More: '0.88' configure_requires: ExtUtils::MakeMaker: '0' @@ -20,4 +21,4 @@ perl: '5.008' resources: repository: git://github.com/grantm/xml-simple.git -version: '2.24' +version: '2.25' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/Makefile.PL new/XML-Simple-2.25/Makefile.PL --- old/XML-Simple-2.24/Makefile.PL 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/Makefile.PL 2018-03-18 04:18:27.000000000 +0100 @@ -22,9 +22,10 @@ "XML::SAX::Expat" => 0 }, "TEST_REQUIRES" => { + "File::Temp" => 0, "Test::More" => "0.88" }, - "VERSION" => "2.24", + "VERSION" => "2.25", "test" => { "TESTS" => "t/*.t" } @@ -32,6 +33,7 @@ my %FallbackPrereqs = ( + "File::Temp" => 0, "Test::More" => "0.88", "XML::NamespaceSupport" => "1.04", "XML::SAX" => "0.15", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/README new/XML-Simple-2.25/README --- old/XML-Simple-2.24/README 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/README 2018-03-18 04:18:27.000000000 +0100 @@ -1,11 +1,11 @@ This archive contains the distribution XML-Simple, -version 2.24: +version 2.25: An API for simple XML files -This software is copyright (c) 2015 by Grant McLean. +This software is copyright (c) 2018 by Grant McLean. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/dist.ini new/XML-Simple-2.25/dist.ini --- old/XML-Simple-2.24/dist.ini 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/dist.ini 2018-03-18 04:18:27.000000000 +0100 @@ -1,9 +1,9 @@ name = XML-Simple author = Grant McLean <[email protected]> -version = 2.24 +version = 2.25 license = Perl_5 copyright_holder = Grant McLean -copyright_year = 2015 +copyright_year = 2018 main_module = lib/XML/Simple.pm repository = git://github.com/grantm/xml-simple.git @@ -24,3 +24,4 @@ [Prereqs / TestRequires] Test::More = 0.88 +File::Temp = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/lib/XML/Simple/FAQ.pod new/XML-Simple-2.25/lib/XML/Simple/FAQ.pod --- old/XML-Simple-2.24/lib/XML/Simple/FAQ.pod 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/lib/XML/Simple/FAQ.pod 2018-03-18 04:18:27.000000000 +0100 @@ -6,21 +6,34 @@ =head1 Basics -=head2 What is XML::Simple designed to be used for? +=head2 What should I use XML::Simple for? + +Nothing! + +It's as simple as that. + +Choose a better module. See +L<Perl XML::LibXML by Example|http://grantm.github.io/perl-libxml-by-example/> +for a gentle introduction to L<XML::LibXML> with lots of examples. + + +=head2 What was XML::Simple designed to be used for? XML::Simple is a Perl module that was originally developed as a tool for -reading and writing configuration data in XML format. You can use it for -many other purposes that involve storing and retrieving structured data in -XML. - -You might also find XML::Simple a good starting point for playing with XML -from Perl. It doesn't have a steep learning curve and if you outgrow its -capabilities there are plenty of other Perl/XML modules to 'step up' to. +reading and writing configuration data in XML format. You could use it for +other purposes that involve storing and retrieving structured data in +XML but it's likely to be a frustrating experience. =head2 Why store configuration data in XML anyway? -The many advantages of using XML format for configuration data include: +It seemed like a good idea at the time. Now, I use and recommend +L<Config::General> which uses a format similar to that used by the Apache web +server. This is easier to read than XML while still allowing advanced concepts +such as nested sections. + +At the time XML::Simple was written, the advantages of using XML format for +configuration data were thought to include: =over 4 @@ -75,6 +88,13 @@ marked up text rather than structured data, you should probably use another module. +If your source XML documents change regularly, it's likely that you will +experience intermittent failures. In particular, failure to properly use the +ForceArray and KeyAttr options will produce code that works when you get a list +of elements with the same name, but fails when there's only one item in the +list. These types of problems can be avoided by not using XML::Simple in the +first place. + If you are working with very large XML files, XML::Simple's approach of representing the whole file in memory as a 'tree' data structure may not be suitable. @@ -131,8 +151,10 @@ =head2 How do I install XML::Simple? -If you're running ActiveState Perl, you've probably already got XML::Simple -(although you may want to upgrade to version 1.09 or better for SAX support). +If you're running ActiveState Perl, or +L<Strawberry Perl|http://strawberryperl.com/> you've probably already got +XML::Simple and therefore do not need to install it at all. But you probably +also have L<XML::LibXML>, which is a much better module, so just use that. If you do need to install XML::Simple, you'll need to install an XML parser module first. Install either XML::Parser (which you may have already) or @@ -216,14 +238,12 @@ =head2 How do I use XML::Simple? -If you had an XML document called /etc/appconfig/foo.xml you could 'slurp' it -into a simple data structure (typically a hashref) with these lines of code: - - use XML::Simple; - - my $config = XMLin('/etc/appconfig/foo.xml'); +If you don't know how to use XML::Simple then the best approach is to +L<learn to use XML::LibXML|http://grantm.github.io/perl-libxml-by-example/> +instead. Stop reading this document and use that one instead. -The XMLin() function accepts options after the filename. +If you are determined to use XML::Simple, it come with copious documentation, +so L<read that|XML::Simple>. =head2 There are so many options, which ones do I really need to know about? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/lib/XML/Simple.pm new/XML-Simple-2.25/lib/XML/Simple.pm --- old/XML-Simple-2.24/lib/XML/Simple.pm 2017-04-17 06:12:03.000000000 +0200 +++ new/XML-Simple-2.25/lib/XML/Simple.pm 2018-03-18 04:18:27.000000000 +0100 @@ -1,12 +1,12 @@ package XML::Simple; -$XML::Simple::VERSION = '2.24'; +$XML::Simple::VERSION = '2.25'; =head1 NAME XML::Simple - An API for simple XML files =head1 SYNOPSIS -You really don't want to use this module in new code. If you ignore this +PLEASE DO NOT USE THIS MODULE IN NEW CODE. If you ignore this warning and use it anyway, the C<qw(:strict)> mode will save you a little pain. use XML::Simple qw(:strict); @@ -427,7 +427,8 @@ carp "'nsexpand' option requires XML::SAX"; } - my $xp = XML::Parser->new(Style => 'Tree', @{$self->{opt}->{parseropts}}); + my $xp = $self->new_xml_parser(); + my($tree); if($filename) { # $tree = $xp->parsefile($filename); # Changed due to prob w/mod_perl @@ -443,6 +444,23 @@ ############################################################################## +# Method: new_xml_parser() +# +# Simply calls the XML::Parser constructor. Override this method to customise +# the behaviour of the parser. +# + +sub new_xml_parser { + my($self) = @_; + + my $xp = XML::Parser->new(Style => 'Tree', @{$self->{opt}->{parseropts}}); + $xp->setHandlers(ExternEnt => sub {return $_[2]}); + + return $xp; +} + + +############################################################################## # Method: cache_write_storable() # # Wrapper routine for invoking Storable::nstore() to cache a parsed data @@ -1906,10 +1924,13 @@ =head1 STATUS OF THIS MODULE -The use of this module in new code is discouraged. Other modules are available -which provide more straightforward and consistent interfaces. In particular, -L<XML::LibXML> is highly recommended and L<XML::Twig> is an excellent -alternative. +The use of this module in new code is B<strongly discouraged>. Other modules +are available which provide more straightforward and consistent interfaces. In +particular, L<XML::LibXML> is highly recommended and you can refer to +L<Perl XML::LibXML by Example|http://grantm.github.io/perl-libxml-by-example/> +for a tutorial introduction. + +L<XML::Twig> is another excellent alternative. The major problems with this module are the large number of options (some of which have unfortunate defaults) and the arbitrary ways in which these options @@ -2871,6 +2892,11 @@ =over 4 +=item new_xml_parser() + +This method will be called when a new XML::Parser object must be constructed +(either because XML::SAX is not installed or XML::Parser is preferred). + =item handle_options(direction, name => value ...) This method will be called when one of the parsing methods or the C<XMLout()> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/XML-Simple-2.24/t/C_External_Entities.t new/XML-Simple-2.25/t/C_External_Entities.t --- old/XML-Simple-2.24/t/C_External_Entities.t 1970-01-01 01:00:00.000000000 +0100 +++ new/XML-Simple-2.25/t/C_External_Entities.t 2018-03-18 04:18:27.000000000 +0100 @@ -0,0 +1,35 @@ +use strict; +use warnings; +use Test::More; +use File::Temp qw(tempfile); + +eval { require XML::Parser; }; +if($@) { + plan skip_all => 'no XML::Parser'; +} + +plan tests => 2; + +use XML::Simple; + +$XML::Simple::PREFERRED_PARSER = 'XML::Parser'; + +my ($fh, $filename) = tempfile(UNLINK => 1); +print $fh "bad"; +close $fh; + +my $xml = qq(<?xml version="1.0"?> +<!DOCTYPE foo [ <!ELEMENT foo ANY > +<!ENTITY xxe SYSTEM "file://$filename" >]> +<creds> + <user>&xxe;</user> + <pass>mypass</pass> +</creds> +); + +my $opt = XMLin($xml); +isnt($opt->{'user'}, 'bad', 'External entity not retrieved'); +like($opt->{'user'}, qr/^file/, 'External entity left as URL'); + +unlink($filename) if (-f $filename); +exit(0);
