aboutsummaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorarcadia-devtools <arcadia-devtools@yandex-team.ru>2022-03-06 12:05:31 +0300
committerarcadia-devtools <arcadia-devtools@yandex-team.ru>2022-03-06 12:05:31 +0300
commit4956097cce302e71664bd2b768cdf09c587f6975 (patch)
tree0cf8f50b22e3d2d09a756cce32e86e12ae88025c /contrib
parent1e305f36a77e00c5edcf5df20409ceff5c82ceac (diff)
downloadydb-4956097cce302e71664bd2b768cdf09c587f6975.tar.gz
intermediate changes
ref:1d2cbda2e7c6bc330948772f6a0d51b2fa37ffb6
Diffstat (limited to 'contrib')
-rw-r--r--contrib/libs/expat/.yandex_meta/devtools.copyrights.report94
-rw-r--r--contrib/libs/expat/.yandex_meta/devtools.licenses.report10
-rw-r--r--contrib/libs/expat/.yandex_meta/licenses.list.txt2
-rw-r--r--contrib/libs/expat/Changes34
-rw-r--r--contrib/libs/expat/README.md2
-rw-r--r--contrib/libs/expat/expat.h22
-rw-r--r--contrib/libs/expat/expat_config.h6
-rw-r--r--contrib/libs/expat/lib/xmlparse.c147
-rw-r--r--contrib/libs/expat/ya.make4
9 files changed, 259 insertions, 62 deletions
diff --git a/contrib/libs/expat/.yandex_meta/devtools.copyrights.report b/contrib/libs/expat/.yandex_meta/devtools.copyrights.report
index fb74cc644c..ef442c148d 100644
--- a/contrib/libs/expat/.yandex_meta/devtools.copyrights.report
+++ b/contrib/libs/expat/.yandex_meta/devtools.copyrights.report
@@ -69,7 +69,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
+ expat.h [9:19]
expat_external.h [9:18]
lib/xmlrole.c [9:19]
lib/xmltok.c [9:24]
@@ -84,9 +84,19 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmltok_impl.c [9:19]
+KEEP COPYRIGHT_SERVICE_LABEL 17566be0ee85deadbd5b2fcedc8b66a9
+BELONGS ya.make
+ Note: matched license text is too long. Read it in the source files.
+ Scancode info:
+ Original SPDX id: COPYRIGHT_SERVICE_LABEL
+ Score : 100.00
+ Match type : COPYRIGHT
+ Files with this license:
+ lib/xmlparse.c [9:38]
+
KEEP COPYRIGHT_SERVICE_LABEL 1916cbefc2e0a780a3d503ba26f3780a
BELONGS ya.make
Note: matched license text is too long. Read it in the source files.
@@ -118,7 +128,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmltok.c [9:24]
KEEP COPYRIGHT_SERVICE_LABEL 262c58e3a627f5cee77a882379e1364f
@@ -140,7 +150,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 338b8ad8ee9b8449a90a88a0559aefd9
BELONGS ya.make
@@ -150,7 +160,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 387a03e23bfe968e0bc1919b0ef65164
BELONGS ya.make
@@ -170,7 +180,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 4010f67351b9e656cc500aa367c0c393
BELONGS ya.make
@@ -180,10 +190,20 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmlrole.c [9:19]
lib/xmltok.c [9:24]
+KEEP COPYRIGHT_SERVICE_LABEL 50da2a76d12ee3df6d928d81ca59a715
+BELONGS ya.make
+ Note: matched license text is too long. Read it in the source files.
+ Scancode info:
+ Original SPDX id: COPYRIGHT_SERVICE_LABEL
+ Score : 100.00
+ Match type : COPYRIGHT
+ Files with this license:
+ expat.h [9:19]
+
KEEP COPYRIGHT_SERVICE_LABEL 52b42ccd5b2debda3846c7aad55185e7
BELONGS ya.make
Note: matched license text is too long. Read it in the source files.
@@ -235,8 +255,8 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
- lib/xmlparse.c [9:37]
+ expat.h [9:19]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 6451d5e490271b354ad3b567c7a03423
BELONGS ya.make
@@ -246,7 +266,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 660431f3ef648d1a8e72ca1d307af738
BELONGS ya.make
@@ -256,7 +276,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 671a3fd18ec8f4a472b12e1ee2d0c616
BELONGS ya.make
@@ -286,7 +306,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL 7c09099ef5f35bf3be4611e6cbb14510
BELONGS ya.make
@@ -306,7 +326,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
+ expat.h [9:19]
expat_external.h [9:18]
lib/ascii.h [9:14]
lib/asciitab.h [9:13]
@@ -315,7 +335,7 @@ BELONGS ya.make
lib/nametab.h [9:11]
lib/utf8tab.h [9:13]
lib/winconfig.h [9:13]
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmlrole.c [9:19]
lib/xmlrole.h [9:14]
lib/xmltok.c [9:24]
@@ -356,7 +376,7 @@ BELONGS ya.make
Match type : COPYRIGHT
Files with this license:
lib/internal.h [28:34]
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmlrole.c [9:19]
lib/xmltok.c [9:24]
lib/xmltok_impl.c [9:19]
@@ -369,9 +389,9 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
+ expat.h [9:19]
expat_external.h [9:18]
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL a0fdd1392c0b9b2558b9ccfe44592143
BELONGS ya.make
@@ -411,7 +431,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL aafe06df8255f48781ac9d4e96e1ea4e
BELONGS ya.make
@@ -421,8 +441,8 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
- lib/xmlparse.c [9:37]
+ expat.h [9:19]
+ lib/xmlparse.c [9:38]
lib/xmltok.c [9:24]
lib/xmltok_impl.c [9:19]
@@ -434,7 +454,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL ac721fcd634b3e5674a847f5ed2f1c8e
BELONGS ya.make
@@ -444,8 +464,8 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
- lib/xmlparse.c [9:37]
+ expat.h [9:19]
+ lib/xmlparse.c [9:38]
lib/xmltok.c [9:24]
lib/xmltok_impl.c [9:19]
@@ -457,7 +477,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL b646d644160a51f7f42f9fd9f89d8b3f
BELONGS ya.make
@@ -477,7 +497,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmlrole.c [9:19]
lib/xmltok.c [9:24]
@@ -525,13 +545,13 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
+ expat.h [9:19]
expat_external.h [9:18]
lib/asciitab.h [9:13]
lib/iasciitab.h [9:13]
lib/latin1tab.h [9:13]
lib/utf8tab.h [9:13]
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmlrole.c [9:19]
lib/xmlrole.h [9:14]
lib/xmltok.c [9:24]
@@ -548,7 +568,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL d548c6beaeae204247905b60d5feff91
BELONGS ya.make
@@ -558,7 +578,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
lib/xmltok_impl.c [9:19]
KEEP COPYRIGHT_SERVICE_LABEL dd3c5623e58aa85a367a6638299f50f3
@@ -569,7 +589,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL dfa8addb3a892dd8d176def4d3f0d567
BELONGS ya.make
@@ -589,7 +609,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL e3d6c1b6030b59aad9996cc0a9efeda5
BELONGS ya.make
@@ -599,7 +619,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL e8d75752f30998b89994f01f786353a2
BELONGS ya.make
@@ -621,7 +641,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL ef0dda0153a00710149f327147a79b7f
BELONGS ya.make
@@ -631,7 +651,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
+ expat.h [9:19]
KEEP COPYRIGHT_SERVICE_LABEL ef4a1bf87c0e9671b2e7497bc1fcfd12
BELONGS ya.make
@@ -641,7 +661,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- expat.h [9:18]
+ expat.h [9:19]
expat_external.h [9:18]
KEEP COPYRIGHT_SERVICE_LABEL f385189c52b8d4beb4f02b45629c23db
@@ -652,7 +672,7 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
KEEP COPYRIGHT_SERVICE_LABEL fea018c6e4e19bc6bd4ac263c015567a
BELONGS ya.make
@@ -680,4 +700,4 @@ BELONGS ya.make
Score : 100.00
Match type : COPYRIGHT
Files with this license:
- lib/xmlparse.c [9:37]
+ lib/xmlparse.c [9:38]
diff --git a/contrib/libs/expat/.yandex_meta/devtools.licenses.report b/contrib/libs/expat/.yandex_meta/devtools.licenses.report
index 0c5ff0a949..50c98bccfb 100644
--- a/contrib/libs/expat/.yandex_meta/devtools.licenses.report
+++ b/contrib/libs/expat/.yandex_meta/devtools.licenses.report
@@ -42,7 +42,7 @@ BELONGS ya.make
KEEP MIT 6bb6514a1d779748b76a73215a89ae66
BELONGS ya.make
-FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at line 34, lib/ascii.h at line 30, lib/asciitab.h at line 29, lib/iasciitab.h at line 29, lib/internal.h at line 50, lib/latin1tab.h at line 29, lib/utf8tab.h at line 29, lib/winconfig.h at line 29, lib/xmlparse.c at line 53, lib/xmlrole.c at line 35, lib/xmlrole.h at line 30, lib/xmltok.c at line 40, lib/xmltok.h at line 31, lib/xmltok_impl.c at line 35, lib/xmltok_impl.h at line 28, lib/xmltok_ns.c at line 31
+FILE_INCLUDE AUTHORS found in files: expat.h at line 35, expat_external.h at line 34, lib/ascii.h at line 30, lib/asciitab.h at line 29, lib/iasciitab.h at line 29, lib/internal.h at line 50, lib/latin1tab.h at line 29, lib/utf8tab.h at line 29, lib/winconfig.h at line 29, lib/xmlparse.c at line 54, lib/xmlrole.c at line 35, lib/xmlrole.h at line 30, lib/xmltok.c at line 40, lib/xmltok.h at line 31, lib/xmltok_impl.c at line 35, lib/xmltok_impl.h at line 28, lib/xmltok_ns.c at line 31
Note: matched license text is too long. Read it in the source files.
Scancode info:
Original SPDX id: MIT
@@ -50,7 +50,7 @@ FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at lin
Match type : TEXT
Links : http://opensource.org/licenses/mit-license.php, https://spdx.org/licenses/MIT
Files with this license:
- expat.h [20:37]
+ expat.h [21:38]
expat_external.h [20:37]
lib/ascii.h [16:33]
lib/asciitab.h [15:32]
@@ -59,7 +59,7 @@ FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at lin
lib/latin1tab.h [15:32]
lib/utf8tab.h [15:32]
lib/winconfig.h [15:32]
- lib/xmlparse.c [39:56]
+ lib/xmlparse.c [40:57]
lib/xmlrole.c [21:38]
lib/xmlrole.h [16:33]
lib/xmltok.c [26:43]
@@ -90,7 +90,7 @@ BELONGS ya.make
Match type : NOTICE
Links : http://opensource.org/licenses/mit-license.php, https://spdx.org/licenses/MIT
Files with this license:
- expat.h [18:18]
+ expat.h [19:19]
expat_external.h [18:18]
lib/ascii.h [14:14]
lib/asciitab.h [13:13]
@@ -100,7 +100,7 @@ BELONGS ya.make
lib/nametab.h [11:11]
lib/utf8tab.h [13:13]
lib/winconfig.h [13:13]
- lib/xmlparse.c [37:37]
+ lib/xmlparse.c [38:38]
lib/xmlrole.c [19:19]
lib/xmlrole.h [14:14]
lib/xmltok.c [24:24]
diff --git a/contrib/libs/expat/.yandex_meta/licenses.list.txt b/contrib/libs/expat/.yandex_meta/licenses.list.txt
index 1d32174e8e..3e3788aaf7 100644
--- a/contrib/libs/expat/.yandex_meta/licenses.list.txt
+++ b/contrib/libs/expat/.yandex_meta/licenses.list.txt
@@ -25,6 +25,7 @@
Copyright (c) 2016 Cristian Rodríguez <crrodriguez@opensuse.org>
Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de>
Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk>
+ Copyright (c) 2022 Thijs Schreijer <thijs@thijsschreijer.nl>
Licensed under the MIT license:
@@ -57,6 +58,7 @@
Copyright (c) 2019 Vadim Zeitlin <vadim@zeitlins.org>
Copyright (c) 2021 Dong-hee Na <donghee.na@python.org>
Copyright (c) 2022 Samanta Navarro <ferivoz@riseup.net>
+ Copyright (c) 2022 Jeffrey Walton <noloader@gmail.com>
Licensed under the MIT license:
diff --git a/contrib/libs/expat/Changes b/contrib/libs/expat/Changes
index 40127e1b76..95f697b39a 100644
--- a/contrib/libs/expat/Changes
+++ b/contrib/libs/expat/Changes
@@ -2,6 +2,40 @@ NOTE: We are looking for help with a few things:
https://github.com/libexpat/libexpat/labels/help%20wanted
If you can help, please get in touch. Thanks!
+Release 2.4.7 Fri March 4 2022
+ Bug fixes:
+ #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
+ with regard to all valid URI characters (RFC 3986),
+ i.e. the following set (excluding whitespace):
+ ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
+ 0123456789 % -._~ :/?#[]@ !$&'()*+,;=
+
+ Other changes:
+ #555 #570 #581 CMake|Windows: Store Expat version in the DLL
+ #577 Document consequences of namespace separator choices not just
+ in doc/reference.html but also in header <expat.h>
+ #577 Document Expat's lack of validation of namespace URIs against
+ RFC 3986, and that the XML 1.0r4 specification doesn't
+ require Expat to validate namespace URIs, and that Expat
+ may do more in that regard in future releases.
+ If you find need for strict RFC 3986 URI validation on
+ application level today, https://uriparser.github.io/ may
+ be of interest.
+ #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
+ #575 Document that a call to XML_FreeContentModel can be done at
+ a later time from outside the element declaration handler
+ #574 Make hardcoded namespace URIs easier to find in code
+ #573 Update documentation on use of XML_POOR_ENTOPY on Solaris
+ #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++
+ 4.8.2 on Solaris.
+ #578 #580 Version info bumped from 9:6:8 to 9:7:8;
+ see https://verbump.de/ for what these numbers do
+
+ Special thanks to:
+ Jeffrey Walton
+ Johnny Jazeix
+ Thijs Schreijer
+
Release 2.4.6 Sun February 20 2022
Bug fixes:
#566 Fix a regression introduced by the fix for CVE-2022-25313
diff --git a/contrib/libs/expat/README.md b/contrib/libs/expat/README.md
index 959c4a6e94..6bfbf130db 100644
--- a/contrib/libs/expat/README.md
+++ b/contrib/libs/expat/README.md
@@ -5,7 +5,7 @@
[![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases)
-# Expat, Release 2.4.6
+# Expat, Release 2.4.7
This is Expat, a C library for parsing XML, started by
[James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997.
diff --git a/contrib/libs/expat/expat.h b/contrib/libs/expat/expat.h
index 46a0e1bcd2..c9214f6407 100644
--- a/contrib/libs/expat/expat.h
+++ b/contrib/libs/expat/expat.h
@@ -15,6 +15,7 @@
Copyright (c) 2016 Cristian Rodríguez <crrodriguez@opensuse.org>
Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de>
Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk>
+ Copyright (c) 2022 Thijs Schreijer <thijs@thijsschreijer.nl>
Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining
@@ -174,8 +175,10 @@ struct XML_cp {
};
/* This is called for an element declaration. See above for
- description of the model argument. It's the caller's responsibility
- to free model when finished with it.
+ description of the model argument. It's the user code's responsibility
+ to free model when finished with it. See XML_FreeContentModel.
+ There is no need to free the model from the handler, it can be kept
+ around and freed at a later stage.
*/
typedef void(XMLCALL *XML_ElementDeclHandler)(void *userData,
const XML_Char *name,
@@ -237,6 +240,17 @@ XML_ParserCreate(const XML_Char *encoding);
and the local part will be concatenated without any separator.
It is a programming error to use the separator '\0' with namespace
triplets (see XML_SetReturnNSTriplet).
+ If a namespace separator is chosen that can be part of a URI or
+ part of an XML name, splitting an expanded name back into its
+ 1, 2 or 3 original parts on application level in the element handler
+ may end up vulnerable, so these are advised against; sane choices for
+ a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
+
+ Note that Expat does not validate namespace URIs (beyond encoding)
+ against RFC 3986 today (and is not required to do so with regard to
+ the XML 1.0 namespaces specification) but it may start doing that
+ in future releases. Before that, an application using Expat must
+ be ready to receive namespace URIs containing non-URI characters.
*/
XMLPARSEAPI(XML_Parser)
XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
@@ -317,7 +331,7 @@ typedef void(XMLCALL *XML_StartDoctypeDeclHandler)(void *userData,
const XML_Char *pubid,
int has_internal_subset);
-/* This is called for the start of the DOCTYPE declaration when the
+/* This is called for the end of the DOCTYPE declaration when the
closing > is encountered, but after processing any external
subset.
*/
@@ -1041,7 +1055,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
*/
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 4
-#define XML_MICRO_VERSION 6
+#define XML_MICRO_VERSION 7
#ifdef __cplusplus
}
diff --git a/contrib/libs/expat/expat_config.h b/contrib/libs/expat/expat_config.h
index 2a77c19a11..d2e0fb6d23 100644
--- a/contrib/libs/expat/expat_config.h
+++ b/contrib/libs/expat/expat_config.h
@@ -77,7 +77,7 @@
#define PACKAGE_NAME "expat"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "expat 2.4.6"
+#define PACKAGE_STRING "expat 2.4.7"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "expat"
@@ -86,7 +86,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "2.4.6"
+#define PACKAGE_VERSION "2.4.7"
/* Define to 1 if all of the C90 standard headers exist (not just the ones
required in a freestanding environment). This macro is provided for
@@ -94,7 +94,7 @@
#define STDC_HEADERS 1
/* Version number of package */
-#define VERSION "2.4.6"
+#define VERSION "2.4.7"
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/contrib/libs/expat/lib/xmlparse.c b/contrib/libs/expat/lib/xmlparse.c
index 4e50618708..671598d919 100644
--- a/contrib/libs/expat/lib/xmlparse.c
+++ b/contrib/libs/expat/lib/xmlparse.c
@@ -1,4 +1,4 @@
-/* a30d2613dcfdef81475a9d1a349134d2d42722172fdaa7d5bb12ed2aa74b9596 (2.4.6+)
+/* fcb1a62fefa945567301146eb98e3ad3413e823a41c4378e84e8b6b6f308d824 (2.4.7+)
__ __ _
___\ \/ /_ __ __ _| |_
/ _ \\ /| '_ \ / _` | __|
@@ -34,6 +34,7 @@
Copyright (c) 2019 Vadim Zeitlin <vadim@zeitlins.org>
Copyright (c) 2021 Dong-hee Na <donghee.na@python.org>
Copyright (c) 2022 Samanta Navarro <ferivoz@riseup.net>
+ Copyright (c) 2022 Jeffrey Walton <noloader@gmail.com>
Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining
@@ -133,7 +134,7 @@
* BSD / macOS (including <10.7) (arc4random): HAVE_ARC4RANDOM, \
* libbsd (arc4random_buf): HAVE_ARC4RANDOM_BUF + HAVE_LIBBSD, \
* libbsd (arc4random): HAVE_ARC4RANDOM + HAVE_LIBBSD, \
- * Linux (including <3.17) / BSD / macOS (including <10.7) (/dev/urandom): XML_DEV_URANDOM, \
+ * Linux (including <3.17) / BSD / macOS (including <10.7) / Solaris >=8 (/dev/urandom): XML_DEV_URANDOM, \
* Windows >=Vista (rand_s): _WIN32. \
\
If insist on not using any of these, bypass this error by defining \
@@ -722,6 +723,7 @@ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
return XML_ParserCreate_MM(encodingName, NULL, tmp);
}
+// "xml=http://www.w3.org/XML/1998/namespace"
static const XML_Char implicitContext[]
= {ASCII_x, ASCII_m, ASCII_l, ASCII_EQUALS, ASCII_h,
ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH,
@@ -3704,12 +3706,124 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
return XML_ERROR_NONE;
}
+static XML_Bool
+is_rfc3986_uri_char(XML_Char candidate) {
+ // For the RFC 3986 ANBF grammar see
+ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
+
+ switch (candidate) {
+ // From rule "ALPHA" (uppercase half)
+ case 'A':
+ case 'B':
+ case 'C':
+ case 'D':
+ case 'E':
+ case 'F':
+ case 'G':
+ case 'H':
+ case 'I':
+ case 'J':
+ case 'K':
+ case 'L':
+ case 'M':
+ case 'N':
+ case 'O':
+ case 'P':
+ case 'Q':
+ case 'R':
+ case 'S':
+ case 'T':
+ case 'U':
+ case 'V':
+ case 'W':
+ case 'X':
+ case 'Y':
+ case 'Z':
+
+ // From rule "ALPHA" (lowercase half)
+ case 'a':
+ case 'b':
+ case 'c':
+ case 'd':
+ case 'e':
+ case 'f':
+ case 'g':
+ case 'h':
+ case 'i':
+ case 'j':
+ case 'k':
+ case 'l':
+ case 'm':
+ case 'n':
+ case 'o':
+ case 'p':
+ case 'q':
+ case 'r':
+ case 's':
+ case 't':
+ case 'u':
+ case 'v':
+ case 'w':
+ case 'x':
+ case 'y':
+ case 'z':
+
+ // From rule "DIGIT"
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '4':
+ case '5':
+ case '6':
+ case '7':
+ case '8':
+ case '9':
+
+ // From rule "pct-encoded"
+ case '%':
+
+ // From rule "unreserved"
+ case '-':
+ case '.':
+ case '_':
+ case '~':
+
+ // From rule "gen-delims"
+ case ':':
+ case '/':
+ case '?':
+ case '#':
+ case '[':
+ case ']':
+ case '@':
+
+ // From rule "sub-delims"
+ case '!':
+ case '$':
+ case '&':
+ case '\'':
+ case '(':
+ case ')':
+ case '*':
+ case '+':
+ case ',':
+ case ';':
+ case '=':
+ return XML_TRUE;
+
+ default:
+ return XML_FALSE;
+ }
+}
+
/* addBinding() overwrites the value of prefix->binding without checking.
Therefore one must keep track of the old value outside of addBinding().
*/
static enum XML_Error
addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
const XML_Char *uri, BINDING **bindingsPtr) {
+ // "http://www.w3.org/XML/1998/namespace"
static const XML_Char xmlNamespace[]
= {ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON,
ASCII_SLASH, ASCII_SLASH, ASCII_w, ASCII_w, ASCII_w,
@@ -3720,6 +3834,7 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
ASCII_e, ASCII_s, ASCII_p, ASCII_a, ASCII_c,
ASCII_e, '\0'};
static const int xmlLen = (int)sizeof(xmlNamespace) / sizeof(XML_Char) - 1;
+ // "http://www.w3.org/2000/xmlns/"
static const XML_Char xmlnsNamespace[]
= {ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH,
ASCII_SLASH, ASCII_w, ASCII_w, ASCII_w, ASCII_PERIOD, ASCII_w,
@@ -3760,14 +3875,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
isXMLNS = XML_FALSE;
- // NOTE: While Expat does not validate namespace URIs against RFC 3986,
- // we have to at least make sure that the XML processor on top of
- // Expat (that is splitting tag names by namespace separator into
- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
- // by an attacker putting additional namespace separator characters
- // into namespace declarations. That would be ambiguous and not to
- // be expected.
- if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986
+ // today (and is not REQUIRED to do so with regard to the XML 1.0
+ // namespaces specification) we have to at least make sure, that
+ // the application on top of Expat (that is likely splitting expanded
+ // element names ("qualified names") of form
+ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
+ // in its element handler code) cannot be confused by an attacker
+ // putting additional namespace separator characters into namespace
+ // declarations. That would be ambiguous and not to be expected.
+ //
+ // While the HTML API docs of function XML_ParserCreateNS have been
+ // advising against use of a namespace separator character that can
+ // appear in a URI for >20 years now, some widespread applications
+ // are using URI characters (':' (colon) in particular) for a
+ // namespace separator, in practice. To keep these applications
+ // functional, we only reject namespaces URIs containing the
+ // application-chosen namespace separator if the chosen separator
+ // is a non-URI character with regard to RFC 3986.
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
+ && ! is_rfc3986_uri_char(uri[len])) {
return XML_ERROR_SYNTAX;
}
}
diff --git a/contrib/libs/expat/ya.make b/contrib/libs/expat/ya.make
index 413631a5de..fb7ad49cc5 100644
--- a/contrib/libs/expat/ya.make
+++ b/contrib/libs/expat/ya.make
@@ -7,9 +7,9 @@ OWNER(
g:cpp-contrib
)
-VERSION(2.4.6)
+VERSION(2.4.7)
-ORIGINAL_SOURCE(https://github.com/libexpat/libexpat/releases/download/R_2_4_6/expat-2.4.6.tar.xz)
+ORIGINAL_SOURCE(https://github.com/libexpat/libexpat/releases/download/R_2_4_7/expat-2.4.7.tar.xz)
LICENSE(
CC0-1.0 AND