Re: [cmake-developers] CTest XML outputs unsafe content

[Brad King]

On 08/27/2015 05:02 PM, Daniel Pfeifer wrote:
 I saw cmXMLSafe is used in some places inside CTest.
 Since escaping is handled by cmXMLWriter, this may lead to some double
 encodings.
 
 I have attached two patches that remove all uses of cmXMLSafe from CTest.

Thanks.  Applied with minor tweaks:

 cmExtra{Kate,SublimeText}Generator: Remove unused cmXMLSafe includes
 http://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=b3372db5

 cmCTest{BZR,GIT,P4}: Remove unused cmXMLSafe includes
 http://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=dee84dc7

 CTest: Fix XML double-encoding cases
 http://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=ab2524d6

Since it is a regression I've queued it for merge to 'release'
once testing is clean.

Thanks,
-Brad

-- 

Powered by www.kitware.com

Please keep messages on-topic and check the CMake FAQ at: 
http://www.cmake.org/Wiki/CMake_FAQ

Kitware offers various services to support the CMake community. For more 
information on each offering, please visit:

CMake Support: http://cmake.org/cmake/help/support.html
CMake Consulting: http://cmake.org/cmake/help/consulting.html
CMake Training Courses: http://cmake.org/cmake/help/training.html

Visit other Kitware open-source projects at 
http://www.kitware.com/opensource/opensource.html

Follow this link to subscribe/unsubscribe:
http://public.kitware.com/mailman/listinfo/cmake-developers

Re: [cmake-developers] CTest XML outputs unsafe content

[Brad King]

On 08/27/2015 07:20 AM, Mathieu MARACHE wrote:
 I'm maintaining a CTest output parser for Bamboo. It was reported to me that
 CMake 3.3.1 produced parsing issues in my plugin. After digging into CMake
 source code, it seems that a bug was introduced with the replacement of
 direct use of cmXMLSafe and std::ostream in favor of cmXMLwriter.

For reference, the changes were here:

 Merge topic 'ctest-xml-refactor'
 http://www.cmake.org/gitweb?p=cmake.git;a=commit;h=0c24c231

 cmXMLWriter is, I assume wrongly, output Safe content without
 (quotes, etc.) escaping.

The SafeContent method is for text inside an element like

 ElementContentHere/Element

The SafeAttribute method is for text inside an element attribute

 Element attr=AttributeHere/

The latter needs quotes to be encoded as quot; but the former
does not:

 http://www.w3.org/TR/xml11/#syntax

Have you found an attribute value that does not enocde quotes?

-Brad

-- 

Powered by www.kitware.com

Please keep messages on-topic and check the CMake FAQ at: 
http://www.cmake.org/Wiki/CMake_FAQ

Kitware offers various services to support the CMake community. For more 
information on each offering, please visit:

CMake Support: http://cmake.org/cmake/help/support.html
CMake Consulting: http://cmake.org/cmake/help/consulting.html
CMake Training Courses: http://cmake.org/cmake/help/training.html

Visit other Kitware open-source projects at 
http://www.kitware.com/opensource/opensource.html

Follow this link to subscribe/unsubscribe:
http://public.kitware.com/mailman/listinfo/cmake-developers

Re: [cmake-developers] CTest XML outputs unsafe content

[Daniel Pfeifer]

On Thu, Aug 27, 2015 at 3:34 PM, Brad King brad.k...@kitware.com wrote:
 On 08/27/2015 07:20 AM, Mathieu MARACHE wrote:
 I'm maintaining a CTest output parser for Bamboo. It was reported to me that
 CMake 3.3.1 produced parsing issues in my plugin. After digging into CMake
 source code, it seems that a bug was introduced with the replacement of
 direct use of cmXMLSafe and std::ostream in favor of cmXMLwriter.

 For reference, the changes were here:

  Merge topic 'ctest-xml-refactor'
  http://www.cmake.org/gitweb?p=cmake.git;a=commit;h=0c24c231

 cmXMLWriter is, I assume wrongly, output Safe content without
 (quotes, etc.) escaping.

 The SafeContent method is for text inside an element like

  ElementContentHere/Element

 The SafeAttribute method is for text inside an element attribute

  Element attr=AttributeHere/

 The latter needs quotes to be encoded as quot; but the former
 does not:

  http://www.w3.org/TR/xml11/#syntax

 Have you found an attribute value that does not enocde quotes?

The proposed patch enables the encoding of quotes in content. This
does not seem correct to me.

I saw cmXMLSafe is used in some places inside CTest.
Since escaping is handled by cmXMLWriter, this may lead to some double
encodings.

I have attached two patches that remove all uses of cmXMLSafe from CTest.

-- Daniel
From 6a5962c671373f0c4e90080abc7b7fe7cf731f77 Mon Sep 17 00:00:00 2001
From: Daniel Pfeifer dan...@pfeifer-mail.de
Date: Thu, 16 Jul 2015 21:47:29 +0200
Subject: [PATCH 01/10] remove unused cmXMLSafe includes

---
 Source/CTest/cmCTestBZR.cxx| 1 -
 Source/CTest/cmCTestGIT.cxx| 1 -
 Source/CTest/cmCTestP4.cxx | 1 -
 Source/cmExtraKateGenerator.cxx| 1 -
 Source/cmExtraSublimeTextGenerator.cxx | 1 -
 5 files changed, 5 deletions(-)

diff --git a/Source/CTest/cmCTestBZR.cxx b/Source/CTest/cmCTestBZR.cxx
index 3014a93..587b583 100644
--- a/Source/CTest/cmCTestBZR.cxx
+++ b/Source/CTest/cmCTestBZR.cxx
@@ -14,7 +14,6 @@
 #include cmCTest.h
 #include cmSystemTools.h
 #include cmXMLParser.h
-#include cmXMLSafe.h
 
 #include cmsys/RegularExpression.hxx
 
diff --git a/Source/CTest/cmCTestGIT.cxx b/Source/CTest/cmCTestGIT.cxx
index 5b9208a..bbb3b9d 100644
--- a/Source/CTest/cmCTestGIT.cxx
+++ b/Source/CTest/cmCTestGIT.cxx
@@ -14,7 +14,6 @@
 #include cmCTest.h
 #include cmSystemTools.h
 #include cmAlgorithms.h
-#include cmXMLSafe.h
 
 #include cmsys/RegularExpression.hxx
 #include cmsys/Process.h
diff --git a/Source/CTest/cmCTestP4.cxx b/Source/CTest/cmCTestP4.cxx
index 5ce431a..5e0c54a 100644
--- a/Source/CTest/cmCTestP4.cxx
+++ b/Source/CTest/cmCTestP4.cxx
@@ -13,7 +13,6 @@
 
 #include cmCTest.h
 #include cmSystemTools.h
-#include cmXMLSafe.h
 
 #include cmsys/RegularExpression.hxx
 #include cmsys/Process.h
diff --git a/Source/cmExtraKateGenerator.cxx b/Source/cmExtraKateGenerator.cxx
index 578e7d3..f83b5cf 100644
--- a/Source/cmExtraKateGenerator.cxx
+++ b/Source/cmExtraKateGenerator.cxx
@@ -19,7 +19,6 @@
 #include cmGeneratedFileStream.h
 #include cmTarget.h
 #include cmSystemTools.h
-#include cmXMLSafe.h
 
 #include cmsys/SystemTools.hxx
 
diff --git a/Source/cmExtraSublimeTextGenerator.cxx b/Source/cmExtraSublimeTextGenerator.cxx
index 4e721d4..163a75b 100644
--- a/Source/cmExtraSublimeTextGenerator.cxx
+++ b/Source/cmExtraSublimeTextGenerator.cxx
@@ -21,7 +21,6 @@
 #include cmSourceFile.h
 #include cmSystemTools.h
 #include cmTarget.h
-#include cmXMLSafe.h
 
 #include cmsys/SystemTools.hxx
 
-- 
2.5.0

From 0e640887f75bb354674129bb743753fb2b6e64fc Mon Sep 17 00:00:00 2001
From: Daniel Pfeifer dan...@pfeifer-mail.de
Date: Thu, 16 Jul 2015 21:48:00 +0200
Subject: [PATCH 02/10] remove all usage of cmXMLSafe from CTest escaping is
 handled by cmXMLWriter

---
 Source/CTest/cmCTestMemCheckHandler.cxx | 16 ++--
 Source/CTest/cmCTestTestHandler.cxx |  2 +-
 Source/cmCTest.cxx  |  5 +
 3 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/Source/CTest/cmCTestMemCheckHandler.cxx b/Source/CTest/cmCTestMemCheckHandler.cxx
index 8f26716..acf527a 100644
--- a/Source/CTest/cmCTestMemCheckHandler.cxx
+++ b/Source/CTest/cmCTestMemCheckHandler.cxx
@@ -80,8 +80,8 @@ public:
   int i = 0;
   for(; atts[i] != 0; i+=2)
 {
-ostr   cmXMLSafe(atts[i])
-   -   cmXMLSafe(atts[i+1])  \n;
+ostr   atts[i]
+   -   atts[i+1]  \n;
 }
   ostr  \n;
   this-Log += ostr.str();
@@ -856,7 +856,7 @@ bool cmCTestMemCheckHandler::ProcessMemCheckSanitizerOutput(
   defects++;
   ostr  b   this-ResultStrings[idx]  /b ;
   }
-ostr  cmXMLSafe(*i)  std::endl;
+ostr  *i  std::endl;
 }
   log = ostr.str();
   if(defects)
@@ -908,7 +908,7 @@ bool cmCTestMemCheckHandler::ProcessMemCheckPurifyOutput(
   results[failure] ++;
   defects ++;
   }
-ostr  cmXMLSafe(*i)  std::endl;
+ostr  *i  std::endl;
 }
 
   log = ostr.str();
@@ -1056,7 +1056,7