This is an automated email from the git hooks/post-receive script. kanashiro-guest pushed a commit to branch master in repository libxml-rss-perl.
commit b7e2455333285f5e3950da850c1e687e3f80fc4c Author: Lucas Kanashiro <kanashiro.dua...@gmail.com> Date: Thu Jul 23 23:53:30 2015 -0300 Imported Upstream version 1.56 --- Changes | 6 ++++++ META.json | 6 +++--- META.yml | 6 +++--- lib/XML/RSS.pm | 5 ++++- t/2.0-parse-2.t | 32 +++++++++++++++++++++++++++++++- 5 files changed, 47 insertions(+), 8 deletions(-) diff --git a/Changes b/Changes index 84c9794..11171c1 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,11 @@ Revision history for Perl module XML::RSS +1.56 2014-12-04 + - Fix https://rt.cpan.org/Ticket/Display.html?id=100660 + - XML External Entities Exploit, as reported here: + - http://mikeknoop.com/lxml-xxe-exploit/ + - Security. + 1.55 2014-04-15 - Fix the tests for DateTime-Format-Mail-0.400. diff --git a/META.json b/META.json index 5bd4e62..6861839 100644 --- a/META.json +++ b/META.json @@ -4,7 +4,7 @@ "Shlomi Fish <shlo...@cpan.org>" ], "dynamic_config" : 1, - "generated_by" : "Module::Build version 0.4205", + "generated_by" : "Module::Build version 0.421", "keywords" : [ "feed", "feeds", @@ -52,7 +52,7 @@ "provides" : { "XML::RSS" : { "file" : "lib/XML/RSS.pm", - "version" : "1.55" + "version" : "1.56" }, "XML::RSS::Private::Output::Base" : { "file" : "lib/XML/RSS/Private/Output/Base.pm" @@ -86,5 +86,5 @@ "url" : "https://github.com/shlomif/perl-XML-RSS" } }, - "version" : "1.55" + "version" : "1.56" } diff --git a/META.yml b/META.yml index 91c9b6c..8e6933d 100644 --- a/META.yml +++ b/META.yml @@ -8,7 +8,7 @@ build_requires: configure_requires: Module::Build: '0.36' dynamic_config: 1 -generated_by: 'Module::Build version 0.4205, CPAN::Meta::Converter version 2.140640' +generated_by: 'Module::Build version 0.421, CPAN::Meta::Converter version 2.142060' keywords: - feed - feeds @@ -29,7 +29,7 @@ name: XML-RSS provides: XML::RSS: file: lib/XML/RSS.pm - version: '1.55' + version: '1.56' XML::RSS::Private::Output::Base: file: lib/XML/RSS/Private/Output/Base.pm XML::RSS::Private::Output::Roles::ImageDims: @@ -55,4 +55,4 @@ resources: homepage: http://perl-rss.sourceforge.net/ license: http://dev.perl.org/licenses/ repository: https://github.com/shlomif/perl-XML-RSS -version: '1.55' +version: '1.56' diff --git a/lib/XML/RSS.pm b/lib/XML/RSS.pm index e3c9304..1051771 100644 --- a/lib/XML/RSS.pm +++ b/lib/XML/RSS.pm @@ -16,7 +16,7 @@ use vars qw($VERSION $AUTOLOAD @ISA $AUTO_ADD); require 5.008; -$VERSION = '1.55'; +$VERSION = '1.56'; $AUTO_ADD = 0; @@ -1267,6 +1267,9 @@ sub _get_parser { # Detach the parser to avoid reference loops. $self->_parser(undef); }, + ExternEnt => sub { + return ''; + }, } ); } diff --git a/t/2.0-parse-2.t b/t/2.0-parse-2.t index 804e38f..7a1fe29 100644 --- a/t/2.0-parse-2.t +++ b/t/2.0-parse-2.t @@ -3,7 +3,7 @@ use strict; use warnings; -use Test::More tests => 13; +use Test::More tests => 14; use XML::RSS; use File::Spec; @@ -195,3 +195,33 @@ EOF "media:desc type is OK.", ); } + +{ + my $rss = XML::RSS->new(); + + $rss->parse(<<'EOF'); +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE title [ <!ELEMENT title ANY > +<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> +<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> +<channel> + <title>The Blog</title> + <link>http://example.com/</link> + <description>A blog about things</description> + <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate> + <item> + <title>Without&xxe;Entity</title> + <link>http://example.com</link> + <description>a post</description> + <author>aut...@example.com</author> + <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate> + </item> +</channel> +</rss> +EOF + + # TEST + is ($rss->{items}->[0]->{title}, "WithoutEntity", + "Fix for RT #100660 - XML External Entities Exploit", + ); +} -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-rss-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits