File perl-XML-Twig-no_xxe.patch of Package perl-XML-Twig.15795
diff -Ppuri XML-Twig-3.44/Twig.pm XML-Twig-3.50/Twig.pm
--- XML-Twig-3.44/Twig.pm 2013-02-11 17:30:09.000000000 +0100
+++ XML-Twig-3.50/Twig.pm 2016-11-22 15:46:37.000000000 +0100
@@ -515,6 +539,10 @@ sub new
if( !$args{NoLWP} && ! _use( 'URI') && ! _use( 'URI::File') && ! _use( 'LWP'))
{ $self->{twig_ext_ent_handler}= \&XML::Parser::initial_ext_ent_handler }
+ elsif( $args{NoXxe})
+ { $self->{twig_ext_ent_handler}=
+ sub { my($xp, $base, $path) = @_; $xp->{ErrorMessage}.= "cannot use entities in document when the no_xxe option is on"; return undef; };
+ }
else
{ $self->{twig_ext_ent_handler}= \&XML::Parser::file_ext_ent_handler }
@@ -10283,6 +10661,18 @@ subroutine) as the argument, this subrou
by XML::Parser::Expat C<original_string()> method) and returns a tag and the
attributes in a hash (or in a list attribute_name/attribute value).
+=item no_xxe
+
+prevents external entities to be parsed.
+
+This is a security feature, in case the input XML cannot be trusted. With this
+option set to a true value defining external entities in the document will cause
+the parse to fail.
+
+This prevents an entity like C<< <!ENTITY xxe PUBLIC "bar" "/etc/passwd"> >> to
+make the password fiel available in the document.
+
+
=item expand_external_ents
When this option is used external entities (that are defined) are expanded
diff -Ppuri XML-Twig-3.44/Twig_pm.slow XML-Twig-3.50/Twig_pm.slow
--- XML-Twig-3.44/Twig_pm.slow 2013-02-11 17:28:16.000000000 +0100
+++ XML-Twig-3.50/Twig_pm.slow 2016-11-22 15:31:20.000000000 +0100
@@ -383,7 +407,7 @@ my $css_sel=0; # set through the css_sel
TopDownHandlers => 1,
KeepEncoding => 1, DoNotEscapeAmpInAtts => 1,
ParseStartTag => 1, KeepAttsOrder => 1,
- LoadDTD => 1, DTDHandler => 1,
+ LoadDTD => 1, DTDHandler => 1, DTDBase => 1, NoXxe => 1,
DoNotOutputDTD => 1, NoProlog => 1,
ExpandExternalEnts => 1,
DiscardSpaces => 1, KeepSpaces => 1, DiscardAllSpaces => 1,
@@ -515,6 +539,10 @@ sub new
if( !$args{NoLWP} && ! _use( 'URI') && ! _use( 'URI::File') && ! _use( 'LWP'))
{ $self->{twig_ext_ent_handler}= \&XML::Parser::initial_ext_ent_handler }
+ elsif( $args{NoXxe})
+ { $self->{twig_ext_ent_handler}=
+ sub { my($xp, $base, $path) = @_; $xp->{ErrorMessage}.= "cannot use entities in document when the no_xxe option is on"; return undef; };
+ }
else
{ $self->{twig_ext_ent_handler}= \&XML::Parser::file_ext_ent_handler }
@@ -10285,6 +10661,18 @@ subroutine) as the argument, this subrou
by XML::Parser::Expat C<original_string()> method) and returns a tag and the
attributes in a hash (or in a list attribute_name/attribute value).
+=item no_xxe
+
+prevents external entities to be parsed.
+
+This is a security feature, in case the input XML cannot be trusted. With this
+option set to a true value defining external entities in the document will cause
+the parse to fail.
+
+This prevents an entity like C<< <!ENTITY xxe PUBLIC "bar" "/etc/passwd"> >> to
+make the password fiel available in the document.
+
+
=item expand_external_ents
When this option is used external entities (that are defined) are expanded
