diff options
author | arcadia-devtools <arcadia-devtools@yandex-team.ru> | 2022-03-06 12:05:31 +0300 |
---|---|---|
committer | arcadia-devtools <arcadia-devtools@yandex-team.ru> | 2022-03-06 12:05:31 +0300 |
commit | 4956097cce302e71664bd2b768cdf09c587f6975 (patch) | |
tree | 0cf8f50b22e3d2d09a756cce32e86e12ae88025c /contrib | |
parent | 1e305f36a77e00c5edcf5df20409ceff5c82ceac (diff) | |
download | ydb-4956097cce302e71664bd2b768cdf09c587f6975.tar.gz |
intermediate changes
ref:1d2cbda2e7c6bc330948772f6a0d51b2fa37ffb6
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/libs/expat/.yandex_meta/devtools.copyrights.report | 94 | ||||
-rw-r--r-- | contrib/libs/expat/.yandex_meta/devtools.licenses.report | 10 | ||||
-rw-r--r-- | contrib/libs/expat/.yandex_meta/licenses.list.txt | 2 | ||||
-rw-r--r-- | contrib/libs/expat/Changes | 34 | ||||
-rw-r--r-- | contrib/libs/expat/README.md | 2 | ||||
-rw-r--r-- | contrib/libs/expat/expat.h | 22 | ||||
-rw-r--r-- | contrib/libs/expat/expat_config.h | 6 | ||||
-rw-r--r-- | contrib/libs/expat/lib/xmlparse.c | 147 | ||||
-rw-r--r-- | contrib/libs/expat/ya.make | 4 |
9 files changed, 259 insertions, 62 deletions
diff --git a/contrib/libs/expat/.yandex_meta/devtools.copyrights.report b/contrib/libs/expat/.yandex_meta/devtools.copyrights.report index fb74cc644c..ef442c148d 100644 --- a/contrib/libs/expat/.yandex_meta/devtools.copyrights.report +++ b/contrib/libs/expat/.yandex_meta/devtools.copyrights.report @@ -69,7 +69,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] + expat.h [9:19] expat_external.h [9:18] lib/xmlrole.c [9:19] lib/xmltok.c [9:24] @@ -84,9 +84,19 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmltok_impl.c [9:19] +KEEP COPYRIGHT_SERVICE_LABEL 17566be0ee85deadbd5b2fcedc8b66a9 +BELONGS ya.make + Note: matched license text is too long. Read it in the source files. + Scancode info: + Original SPDX id: COPYRIGHT_SERVICE_LABEL + Score : 100.00 + Match type : COPYRIGHT + Files with this license: + lib/xmlparse.c [9:38] + KEEP COPYRIGHT_SERVICE_LABEL 1916cbefc2e0a780a3d503ba26f3780a BELONGS ya.make Note: matched license text is too long. Read it in the source files. @@ -118,7 +128,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmltok.c [9:24] KEEP COPYRIGHT_SERVICE_LABEL 262c58e3a627f5cee77a882379e1364f @@ -140,7 +150,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 338b8ad8ee9b8449a90a88a0559aefd9 BELONGS ya.make @@ -150,7 +160,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 387a03e23bfe968e0bc1919b0ef65164 BELONGS ya.make @@ -170,7 +180,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 4010f67351b9e656cc500aa367c0c393 BELONGS ya.make @@ -180,10 +190,20 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmlrole.c [9:19] lib/xmltok.c [9:24] +KEEP COPYRIGHT_SERVICE_LABEL 50da2a76d12ee3df6d928d81ca59a715 +BELONGS ya.make + Note: matched license text is too long. Read it in the source files. + Scancode info: + Original SPDX id: COPYRIGHT_SERVICE_LABEL + Score : 100.00 + Match type : COPYRIGHT + Files with this license: + expat.h [9:19] + KEEP COPYRIGHT_SERVICE_LABEL 52b42ccd5b2debda3846c7aad55185e7 BELONGS ya.make Note: matched license text is too long. Read it in the source files. @@ -235,8 +255,8 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] - lib/xmlparse.c [9:37] + expat.h [9:19] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 6451d5e490271b354ad3b567c7a03423 BELONGS ya.make @@ -246,7 +266,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 660431f3ef648d1a8e72ca1d307af738 BELONGS ya.make @@ -256,7 +276,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 671a3fd18ec8f4a472b12e1ee2d0c616 BELONGS ya.make @@ -286,7 +306,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL 7c09099ef5f35bf3be4611e6cbb14510 BELONGS ya.make @@ -306,7 +326,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] + expat.h [9:19] expat_external.h [9:18] lib/ascii.h [9:14] lib/asciitab.h [9:13] @@ -315,7 +335,7 @@ BELONGS ya.make lib/nametab.h [9:11] lib/utf8tab.h [9:13] lib/winconfig.h [9:13] - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmlrole.c [9:19] lib/xmlrole.h [9:14] lib/xmltok.c [9:24] @@ -356,7 +376,7 @@ BELONGS ya.make Match type : COPYRIGHT Files with this license: lib/internal.h [28:34] - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmlrole.c [9:19] lib/xmltok.c [9:24] lib/xmltok_impl.c [9:19] @@ -369,9 +389,9 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] + expat.h [9:19] expat_external.h [9:18] - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL a0fdd1392c0b9b2558b9ccfe44592143 BELONGS ya.make @@ -411,7 +431,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL aafe06df8255f48781ac9d4e96e1ea4e BELONGS ya.make @@ -421,8 +441,8 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] - lib/xmlparse.c [9:37] + expat.h [9:19] + lib/xmlparse.c [9:38] lib/xmltok.c [9:24] lib/xmltok_impl.c [9:19] @@ -434,7 +454,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL ac721fcd634b3e5674a847f5ed2f1c8e BELONGS ya.make @@ -444,8 +464,8 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] - lib/xmlparse.c [9:37] + expat.h [9:19] + lib/xmlparse.c [9:38] lib/xmltok.c [9:24] lib/xmltok_impl.c [9:19] @@ -457,7 +477,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL b646d644160a51f7f42f9fd9f89d8b3f BELONGS ya.make @@ -477,7 +497,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmlrole.c [9:19] lib/xmltok.c [9:24] @@ -525,13 +545,13 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] + expat.h [9:19] expat_external.h [9:18] lib/asciitab.h [9:13] lib/iasciitab.h [9:13] lib/latin1tab.h [9:13] lib/utf8tab.h [9:13] - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmlrole.c [9:19] lib/xmlrole.h [9:14] lib/xmltok.c [9:24] @@ -548,7 +568,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL d548c6beaeae204247905b60d5feff91 BELONGS ya.make @@ -558,7 +578,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] lib/xmltok_impl.c [9:19] KEEP COPYRIGHT_SERVICE_LABEL dd3c5623e58aa85a367a6638299f50f3 @@ -569,7 +589,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL dfa8addb3a892dd8d176def4d3f0d567 BELONGS ya.make @@ -589,7 +609,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL e3d6c1b6030b59aad9996cc0a9efeda5 BELONGS ya.make @@ -599,7 +619,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL e8d75752f30998b89994f01f786353a2 BELONGS ya.make @@ -621,7 +641,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL ef0dda0153a00710149f327147a79b7f BELONGS ya.make @@ -631,7 +651,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] + expat.h [9:19] KEEP COPYRIGHT_SERVICE_LABEL ef4a1bf87c0e9671b2e7497bc1fcfd12 BELONGS ya.make @@ -641,7 +661,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - expat.h [9:18] + expat.h [9:19] expat_external.h [9:18] KEEP COPYRIGHT_SERVICE_LABEL f385189c52b8d4beb4f02b45629c23db @@ -652,7 +672,7 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] KEEP COPYRIGHT_SERVICE_LABEL fea018c6e4e19bc6bd4ac263c015567a BELONGS ya.make @@ -680,4 +700,4 @@ BELONGS ya.make Score : 100.00 Match type : COPYRIGHT Files with this license: - lib/xmlparse.c [9:37] + lib/xmlparse.c [9:38] diff --git a/contrib/libs/expat/.yandex_meta/devtools.licenses.report b/contrib/libs/expat/.yandex_meta/devtools.licenses.report index 0c5ff0a949..50c98bccfb 100644 --- a/contrib/libs/expat/.yandex_meta/devtools.licenses.report +++ b/contrib/libs/expat/.yandex_meta/devtools.licenses.report @@ -42,7 +42,7 @@ BELONGS ya.make KEEP MIT 6bb6514a1d779748b76a73215a89ae66 BELONGS ya.make -FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at line 34, lib/ascii.h at line 30, lib/asciitab.h at line 29, lib/iasciitab.h at line 29, lib/internal.h at line 50, lib/latin1tab.h at line 29, lib/utf8tab.h at line 29, lib/winconfig.h at line 29, lib/xmlparse.c at line 53, lib/xmlrole.c at line 35, lib/xmlrole.h at line 30, lib/xmltok.c at line 40, lib/xmltok.h at line 31, lib/xmltok_impl.c at line 35, lib/xmltok_impl.h at line 28, lib/xmltok_ns.c at line 31 +FILE_INCLUDE AUTHORS found in files: expat.h at line 35, expat_external.h at line 34, lib/ascii.h at line 30, lib/asciitab.h at line 29, lib/iasciitab.h at line 29, lib/internal.h at line 50, lib/latin1tab.h at line 29, lib/utf8tab.h at line 29, lib/winconfig.h at line 29, lib/xmlparse.c at line 54, lib/xmlrole.c at line 35, lib/xmlrole.h at line 30, lib/xmltok.c at line 40, lib/xmltok.h at line 31, lib/xmltok_impl.c at line 35, lib/xmltok_impl.h at line 28, lib/xmltok_ns.c at line 31 Note: matched license text is too long. Read it in the source files. Scancode info: Original SPDX id: MIT @@ -50,7 +50,7 @@ FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at lin Match type : TEXT Links : http://opensource.org/licenses/mit-license.php, https://spdx.org/licenses/MIT Files with this license: - expat.h [20:37] + expat.h [21:38] expat_external.h [20:37] lib/ascii.h [16:33] lib/asciitab.h [15:32] @@ -59,7 +59,7 @@ FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at lin lib/latin1tab.h [15:32] lib/utf8tab.h [15:32] lib/winconfig.h [15:32] - lib/xmlparse.c [39:56] + lib/xmlparse.c [40:57] lib/xmlrole.c [21:38] lib/xmlrole.h [16:33] lib/xmltok.c [26:43] @@ -90,7 +90,7 @@ BELONGS ya.make Match type : NOTICE Links : http://opensource.org/licenses/mit-license.php, https://spdx.org/licenses/MIT Files with this license: - expat.h [18:18] + expat.h [19:19] expat_external.h [18:18] lib/ascii.h [14:14] lib/asciitab.h [13:13] @@ -100,7 +100,7 @@ BELONGS ya.make lib/nametab.h [11:11] lib/utf8tab.h [13:13] lib/winconfig.h [13:13] - lib/xmlparse.c [37:37] + lib/xmlparse.c [38:38] lib/xmlrole.c [19:19] lib/xmlrole.h [14:14] lib/xmltok.c [24:24] diff --git a/contrib/libs/expat/.yandex_meta/licenses.list.txt b/contrib/libs/expat/.yandex_meta/licenses.list.txt index 1d32174e8e..3e3788aaf7 100644 --- a/contrib/libs/expat/.yandex_meta/licenses.list.txt +++ b/contrib/libs/expat/.yandex_meta/licenses.list.txt @@ -25,6 +25,7 @@ Copyright (c) 2016 Cristian RodrÃguez <crrodriguez@opensuse.org> Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de> Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk> + Copyright (c) 2022 Thijs Schreijer <thijs@thijsschreijer.nl> Licensed under the MIT license: @@ -57,6 +58,7 @@ Copyright (c) 2019 Vadim Zeitlin <vadim@zeitlins.org> Copyright (c) 2021 Dong-hee Na <donghee.na@python.org> Copyright (c) 2022 Samanta Navarro <ferivoz@riseup.net> + Copyright (c) 2022 Jeffrey Walton <noloader@gmail.com> Licensed under the MIT license: diff --git a/contrib/libs/expat/Changes b/contrib/libs/expat/Changes index 40127e1b76..95f697b39a 100644 --- a/contrib/libs/expat/Changes +++ b/contrib/libs/expat/Changes @@ -2,6 +2,40 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! +Release 2.4.7 Fri March 4 2022 + Bug fixes: + #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) + with regard to all valid URI characters (RFC 3986), + i.e. the following set (excluding whitespace): + ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz + 0123456789 % -._~ :/?#[]@ !$&'()*+,;= + + Other changes: + #555 #570 #581 CMake|Windows: Store Expat version in the DLL + #577 Document consequences of namespace separator choices not just + in doc/reference.html but also in header <expat.h> + #577 Document Expat's lack of validation of namespace URIs against + RFC 3986, and that the XML 1.0r4 specification doesn't + require Expat to validate namespace URIs, and that Expat + may do more in that regard in future releases. + If you find need for strict RFC 3986 URI validation on + application level today, https://uriparser.github.io/ may + be of interest. + #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> + #575 Document that a call to XML_FreeContentModel can be done at + a later time from outside the element declaration handler + #574 Make hardcoded namespace URIs easier to find in code + #573 Update documentation on use of XML_POOR_ENTOPY on Solaris + #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ + 4.8.2 on Solaris. + #578 #580 Version info bumped from 9:6:8 to 9:7:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Jeffrey Walton + Johnny Jazeix + Thijs Schreijer + Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-25313 diff --git a/contrib/libs/expat/README.md b/contrib/libs/expat/README.md index 959c4a6e94..6bfbf130db 100644 --- a/contrib/libs/expat/README.md +++ b/contrib/libs/expat/README.md @@ -5,7 +5,7 @@ [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.4.6 +# Expat, Release 2.4.7 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. diff --git a/contrib/libs/expat/expat.h b/contrib/libs/expat/expat.h index 46a0e1bcd2..c9214f6407 100644 --- a/contrib/libs/expat/expat.h +++ b/contrib/libs/expat/expat.h @@ -15,6 +15,7 @@ Copyright (c) 2016 Cristian RodrÃguez <crrodriguez@opensuse.org> Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de> Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk> + Copyright (c) 2022 Thijs Schreijer <thijs@thijsschreijer.nl> Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -174,8 +175,10 @@ struct XML_cp { }; /* This is called for an element declaration. See above for - description of the model argument. It's the caller's responsibility - to free model when finished with it. + description of the model argument. It's the user code's responsibility + to free model when finished with it. See XML_FreeContentModel. + There is no need to free the model from the handler, it can be kept + around and freed at a later stage. */ typedef void(XMLCALL *XML_ElementDeclHandler)(void *userData, const XML_Char *name, @@ -237,6 +240,17 @@ XML_ParserCreate(const XML_Char *encoding); and the local part will be concatenated without any separator. It is a programming error to use the separator '\0' with namespace triplets (see XML_SetReturnNSTriplet). + If a namespace separator is chosen that can be part of a URI or + part of an XML name, splitting an expanded name back into its + 1, 2 or 3 original parts on application level in the element handler + may end up vulnerable, so these are advised against; sane choices for + a namespace separator are e.g. '\n' (line feed) and '|' (pipe). + + Note that Expat does not validate namespace URIs (beyond encoding) + against RFC 3986 today (and is not required to do so with regard to + the XML 1.0 namespaces specification) but it may start doing that + in future releases. Before that, an application using Expat must + be ready to receive namespace URIs containing non-URI characters. */ XMLPARSEAPI(XML_Parser) XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator); @@ -317,7 +331,7 @@ typedef void(XMLCALL *XML_StartDoctypeDeclHandler)(void *userData, const XML_Char *pubid, int has_internal_subset); -/* This is called for the start of the DOCTYPE declaration when the +/* This is called for the end of the DOCTYPE declaration when the closing > is encountered, but after processing any external subset. */ @@ -1041,7 +1055,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 4 -#define XML_MICRO_VERSION 6 +#define XML_MICRO_VERSION 7 #ifdef __cplusplus } diff --git a/contrib/libs/expat/expat_config.h b/contrib/libs/expat/expat_config.h index 2a77c19a11..d2e0fb6d23 100644 --- a/contrib/libs/expat/expat_config.h +++ b/contrib/libs/expat/expat_config.h @@ -77,7 +77,7 @@ #define PACKAGE_NAME "expat" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "expat 2.4.6" +#define PACKAGE_STRING "expat 2.4.7" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "expat" @@ -86,7 +86,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.4.6" +#define PACKAGE_VERSION "2.4.7" /* Define to 1 if all of the C90 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for @@ -94,7 +94,7 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "2.4.6" +#define VERSION "2.4.7" /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ diff --git a/contrib/libs/expat/lib/xmlparse.c b/contrib/libs/expat/lib/xmlparse.c index 4e50618708..671598d919 100644 --- a/contrib/libs/expat/lib/xmlparse.c +++ b/contrib/libs/expat/lib/xmlparse.c @@ -1,4 +1,4 @@ -/* a30d2613dcfdef81475a9d1a349134d2d42722172fdaa7d5bb12ed2aa74b9596 (2.4.6+) +/* fcb1a62fefa945567301146eb98e3ad3413e823a41c4378e84e8b6b6f308d824 (2.4.7+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -34,6 +34,7 @@ Copyright (c) 2019 Vadim Zeitlin <vadim@zeitlins.org> Copyright (c) 2021 Dong-hee Na <donghee.na@python.org> Copyright (c) 2022 Samanta Navarro <ferivoz@riseup.net> + Copyright (c) 2022 Jeffrey Walton <noloader@gmail.com> Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -133,7 +134,7 @@ * BSD / macOS (including <10.7) (arc4random): HAVE_ARC4RANDOM, \ * libbsd (arc4random_buf): HAVE_ARC4RANDOM_BUF + HAVE_LIBBSD, \ * libbsd (arc4random): HAVE_ARC4RANDOM + HAVE_LIBBSD, \ - * Linux (including <3.17) / BSD / macOS (including <10.7) (/dev/urandom): XML_DEV_URANDOM, \ + * Linux (including <3.17) / BSD / macOS (including <10.7) / Solaris >=8 (/dev/urandom): XML_DEV_URANDOM, \ * Windows >=Vista (rand_s): _WIN32. \ \ If insist on not using any of these, bypass this error by defining \ @@ -722,6 +723,7 @@ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) { return XML_ParserCreate_MM(encodingName, NULL, tmp); } +// "xml=http://www.w3.org/XML/1998/namespace" static const XML_Char implicitContext[] = {ASCII_x, ASCII_m, ASCII_l, ASCII_EQUALS, ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH, @@ -3704,12 +3706,124 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, return XML_ERROR_NONE; } +static XML_Bool +is_rfc3986_uri_char(XML_Char candidate) { + // For the RFC 3986 ANBF grammar see + // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A + + switch (candidate) { + // From rule "ALPHA" (uppercase half) + case 'A': + case 'B': + case 'C': + case 'D': + case 'E': + case 'F': + case 'G': + case 'H': + case 'I': + case 'J': + case 'K': + case 'L': + case 'M': + case 'N': + case 'O': + case 'P': + case 'Q': + case 'R': + case 'S': + case 'T': + case 'U': + case 'V': + case 'W': + case 'X': + case 'Y': + case 'Z': + + // From rule "ALPHA" (lowercase half) + case 'a': + case 'b': + case 'c': + case 'd': + case 'e': + case 'f': + case 'g': + case 'h': + case 'i': + case 'j': + case 'k': + case 'l': + case 'm': + case 'n': + case 'o': + case 'p': + case 'q': + case 'r': + case 's': + case 't': + case 'u': + case 'v': + case 'w': + case 'x': + case 'y': + case 'z': + + // From rule "DIGIT" + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + + // From rule "pct-encoded" + case '%': + + // From rule "unreserved" + case '-': + case '.': + case '_': + case '~': + + // From rule "gen-delims" + case ':': + case '/': + case '?': + case '#': + case '[': + case ']': + case '@': + + // From rule "sub-delims" + case '!': + case '$': + case '&': + case '\'': + case '(': + case ')': + case '*': + case '+': + case ',': + case ';': + case '=': + return XML_TRUE; + + default: + return XML_FALSE; + } +} + /* addBinding() overwrites the value of prefix->binding without checking. Therefore one must keep track of the old value outside of addBinding(). */ static enum XML_Error addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, const XML_Char *uri, BINDING **bindingsPtr) { + // "http://www.w3.org/XML/1998/namespace" static const XML_Char xmlNamespace[] = {ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH, ASCII_SLASH, ASCII_w, ASCII_w, ASCII_w, @@ -3720,6 +3834,7 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, ASCII_e, ASCII_s, ASCII_p, ASCII_a, ASCII_c, ASCII_e, '\0'}; static const int xmlLen = (int)sizeof(xmlNamespace) / sizeof(XML_Char) - 1; + // "http://www.w3.org/2000/xmlns/" static const XML_Char xmlnsNamespace[] = {ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH, ASCII_SLASH, ASCII_w, ASCII_w, ASCII_w, ASCII_PERIOD, ASCII_w, @@ -3760,14 +3875,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) isXMLNS = XML_FALSE; - // NOTE: While Expat does not validate namespace URIs against RFC 3986, - // we have to at least make sure that the XML processor on top of - // Expat (that is splitting tag names by namespace separator into - // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused - // by an attacker putting additional namespace separator characters - // into namespace declarations. That would be ambiguous and not to - // be expected. - if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { + // NOTE: While Expat does not validate namespace URIs against RFC 3986 + // today (and is not REQUIRED to do so with regard to the XML 1.0 + // namespaces specification) we have to at least make sure, that + // the application on top of Expat (that is likely splitting expanded + // element names ("qualified names") of form + // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces + // in its element handler code) cannot be confused by an attacker + // putting additional namespace separator characters into namespace + // declarations. That would be ambiguous and not to be expected. + // + // While the HTML API docs of function XML_ParserCreateNS have been + // advising against use of a namespace separator character that can + // appear in a URI for >20 years now, some widespread applications + // are using URI characters (':' (colon) in particular) for a + // namespace separator, in practice. To keep these applications + // functional, we only reject namespaces URIs containing the + // application-chosen namespace separator if the chosen separator + // is a non-URI character with regard to RFC 3986. + if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator) + && ! is_rfc3986_uri_char(uri[len])) { return XML_ERROR_SYNTAX; } } diff --git a/contrib/libs/expat/ya.make b/contrib/libs/expat/ya.make index 413631a5de..fb7ad49cc5 100644 --- a/contrib/libs/expat/ya.make +++ b/contrib/libs/expat/ya.make @@ -7,9 +7,9 @@ OWNER( g:cpp-contrib ) -VERSION(2.4.6) +VERSION(2.4.7) -ORIGINAL_SOURCE(https://github.com/libexpat/libexpat/releases/download/R_2_4_6/expat-2.4.6.tar.xz) +ORIGINAL_SOURCE(https://github.com/libexpat/libexpat/releases/download/R_2_4_7/expat-2.4.7.tar.xz) LICENSE( CC0-1.0 AND |