This is an automated email from the git hooks/post-receive script.
kanashiro-guest pushed a commit to branch master
in repository libxml-rss-perl.
commit b7e2455333285f5e3950da850c1e687e3f80fc4c
Author: Lucas Kanashiro <kanashiro.dua...@gmail.com>
Date: Thu Jul 23 23:53:30 2015 -0300
Imported Upstream version 1.56
---
Changes | 6 ++++++
META.json | 6 +++---
META.yml | 6 +++---
lib/XML/RSS.pm | 5 ++++-
t/2.0-parse-2.t | 32 +++++++++++++++++++++++++++++++-
5 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/Changes b/Changes
index 84c9794..11171c1 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,11 @@
Revision history for Perl module XML::RSS
+1.56 2014-12-04
+ - Fix https://rt.cpan.org/Ticket/Display.html?id=100660
+ - XML External Entities Exploit, as reported here:
+ - http://mikeknoop.com/lxml-xxe-exploit/
+ - Security.
+
1.55 2014-04-15
- Fix the tests for DateTime-Format-Mail-0.400.
diff --git a/META.json b/META.json
index 5bd4e62..6861839 100644
--- a/META.json
+++ b/META.json
@@ -4,7 +4,7 @@
"Shlomi Fish <shlo...@cpan.org>"
],
"dynamic_config" : 1,
- "generated_by" : "Module::Build version 0.4205",
+ "generated_by" : "Module::Build version 0.421",
"keywords" : [
"feed",
"feeds",
@@ -52,7 +52,7 @@
"provides" : {
"XML::RSS" : {
"file" : "lib/XML/RSS.pm",
- "version" : "1.55"
+ "version" : "1.56"
},
"XML::RSS::Private::Output::Base" : {
"file" : "lib/XML/RSS/Private/Output/Base.pm"
@@ -86,5 +86,5 @@
"url" : "https://github.com/shlomif/perl-XML-RSS";
}
},
- "version" : "1.55"
+ "version" : "1.56"
}
diff --git a/META.yml b/META.yml
index 91c9b6c..8e6933d 100644
--- a/META.yml
+++ b/META.yml
@@ -8,7 +8,7 @@ build_requires:
configure_requires:
Module::Build: '0.36'
dynamic_config: 1
-generated_by: 'Module::Build version 0.4205, CPAN::Meta::Converter version
2.140640'
+generated_by: 'Module::Build version 0.421, CPAN::Meta::Converter version
2.142060'
keywords:
- feed
- feeds
@@ -29,7 +29,7 @@ name: XML-RSS
provides:
XML::RSS:
file: lib/XML/RSS.pm
- version: '1.55'
+ version: '1.56'
XML::RSS::Private::Output::Base:
file: lib/XML/RSS/Private/Output/Base.pm
XML::RSS::Private::Output::Roles::ImageDims:
@@ -55,4 +55,4 @@ resources:
homepage: http://perl-rss.sourceforge.net/
license: http://dev.perl.org/licenses/
repository: https://github.com/shlomif/perl-XML-RSS
-version: '1.55'
+version: '1.56'
diff --git a/lib/XML/RSS.pm b/lib/XML/RSS.pm
index e3c9304..1051771 100644
--- a/lib/XML/RSS.pm
+++ b/lib/XML/RSS.pm
@@ -16,7 +16,7 @@ use vars qw($VERSION $AUTOLOAD @ISA $AUTO_ADD);
require 5.008;
-$VERSION = '1.55';
+$VERSION = '1.56';
$AUTO_ADD = 0;
@@ -1267,6 +1267,9 @@ sub _get_parser {
# Detach the parser to avoid reference loops.
$self->_parser(undef);
},
+ ExternEnt => sub {
+ return '';
+ },
}
);
}
diff --git a/t/2.0-parse-2.t b/t/2.0-parse-2.t
index 804e38f..7a1fe29 100644
--- a/t/2.0-parse-2.t
+++ b/t/2.0-parse-2.t
@@ -3,7 +3,7 @@
use strict;
use warnings;
-use Test::More tests => 13;
+use Test::More tests => 14;
use XML::RSS;
use File::Spec;
@@ -195,3 +195,33 @@ EOF
"media:desc type is OK.",
);
}
+
+{
+ my $rss = XML::RSS->new();
+
+ $rss->parse(<<'EOF');
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom";>
+<channel>
+ <title>The Blog</title>
+ <link>http://example.com/</link>
+ <description>A blog about things</description>
+ <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
+ <item>
+ <title>Without&xxe;Entity</title>
+ <link>http://example.com</link>
+ <description>a post</description>
+ <author>aut...@example.com</author>
+ <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
+ </item>
+</channel>
+</rss>
+EOF
+
+ # TEST
+ is ($rss->{items}->[0]->{title}, "WithoutEntity",
+ "Fix for RT #100660 - XML External Entities Exploit",
+ );
+}
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libxml-rss-perl.git
_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
