Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lua-luaexpat for openSUSE:Factory checked in at 2023-07-11 15:57:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lua-luaexpat (Old) and /work/SRC/openSUSE:Factory/.lua-luaexpat.new.8922 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lua-luaexpat" Tue Jul 11 15:57:27 2023 rev:11 rq:1098147 version:1.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/lua-luaexpat/lua-luaexpat.changes 2023-03-17 17:04:41.837817806 +0100 +++ /work/SRC/openSUSE:Factory/.lua-luaexpat.new.8922/lua-luaexpat.changes 2023-07-11 15:57:52.105368613 +0200 @@ -1,0 +2,10 @@ +Tue Jul 11 11:38:13 UTC 2023 - Gordon Leung <piratec...@protonmail.com> + +- Update to version 1.5.1: + * Added option "allowDTD" to the threat protection parser + * Add configuration for Billion Laughs Attack prevention + * Expose Expat compile time constants (lxp._EXPAT_FEATURES) + * lxp now uses $(INSTALL_DATA) + * makefile now uses $(RPM_OPT_FLAGS) $(RPM_LD_FLAGS) + +------------------------------------------------------------------- Old: ---- luaexpat-1.4.1.tar.gz New: ---- luaexpat-1.5.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lua-luaexpat.spec ++++++ --- /var/tmp/diff_new_pack.0fhwox/_old 2023-07-11 15:57:52.677371940 +0200 +++ /var/tmp/diff_new_pack.0fhwox/_new 2023-07-11 15:57:52.681371964 +0200 @@ -20,7 +20,7 @@ %define flavor @BUILD_FLAVOR@ %define mod_name luaexpat -Version: 1.4.1 +Version: 1.5.1 Release: 0 Summary: A SAX XML parser based on the Expat library License: MIT @@ -28,7 +28,8 @@ URL: https://lunarmodules.github.io/luaexpat/ Source: https://github.com/lunarmodules/luaexpat/archive/%{version}/%{mod_name}-%{version}.tar.gz BuildRequires: %{flavor}-devel -BuildRequires: libexpat-devel +# See: https://github.com/lunarmodules/luaexpat/releases/tag/1.5.0 +BuildRequires: libexpat-devel >= 2.4.6 BuildRequires: lua-macros Requires: %{flavor} %lua_provides ++++++ luaexpat-1.4.1.tar.gz -> luaexpat-1.5.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/.github/workflows/docs_lint.yml new/luaexpat-1.5.1/.github/workflows/docs_lint.yml --- old/luaexpat-1.4.1/.github/workflows/docs_lint.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/luaexpat-1.5.1/.github/workflows/docs_lint.yml 2022-10-03 11:23:43.000000000 +0200 @@ -0,0 +1,22 @@ +name: Docs + +on: [push, pull_request] + +jobs: + + DocLint: + runs-on: ubuntu-20.04 + steps: + - name: Checkout + uses: actions/checkout@v3 + - uses: anishathalye/proof-html@v1 + with: + directory: ./docs + check_favicon: false + enforce_https: false + url_ignore: | + http://www.fabricadigital.com.br + http://www.saxproject.org/ + url_ignore_re: | + ^http://files.luaforge.net/ + ^https://opensource.org/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/.gitignore new/luaexpat-1.5.1/.gitignore --- old/luaexpat-1.4.1/.gitignore 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/.gitignore 2022-10-03 11:23:43.000000000 +0200 @@ -1,3 +1,5 @@ +.vscode + # Compiled Lua sources luac.out diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/Makefile new/luaexpat-1.5.1/Makefile --- old/luaexpat-1.4.1/Makefile 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/Makefile 2022-10-03 11:23:43.000000000 +0200 @@ -24,13 +24,13 @@ src/$(LIBNAME): export MACOSX_DEPLOYMENT_TARGET="10.3"; - $(CC) $(CF) -o $@ src/$(T)lib.c $(LF) + $(CC) $(CF) $(RPM_OPT_FLAGS) $(RPM_LD_FLAGS) -o $@ src/$(T)lib.c $(LF) install: $(INSTALL_PROGRAM) -D src/$(LIBNAME) $(DESTDIR)$(LUA_CDIR)/$(LIBNAME) - $(INSTALL_PROGRAM) -D src/$T/lom.lua $(DESTDIR)$(LUA_LDIR)/$T/lom.lua - $(INSTALL_PROGRAM) -D src/$T/totable.lua $(DESTDIR)$(LUA_LDIR)/$T/totable.lua - $(INSTALL_PROGRAM) -D src/$T/threat.lua $(DESTDIR)$(LUA_LDIR)/$T/threat.lua + $(INSTALL_DATA) -D src/$T/lom.lua $(DESTDIR)$(LUA_LDIR)/$T/lom.lua + $(INSTALL_DATA) -D src/$T/totable.lua $(DESTDIR)$(LUA_LDIR)/$T/totable.lua + $(INSTALL_DATA) -D src/$T/threat.lua $(DESTDIR)$(LUA_LDIR)/$T/threat.lua clean: $(RM) src/$(LIBNAME) $(OBJS) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/README.md new/luaexpat-1.5.1/README.md --- old/luaexpat-1.4.1/README.md 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/README.md 2022-10-03 11:23:43.000000000 +0200 @@ -35,6 +35,7 @@ rockspec file is touched in the same commit that gets the version tag) - the Github actions CI will automatically push a new LuaRocks release - test the uploaded rock using: `luarocks install luaexpat` +- add the new release to the [Github releases](https://github.com/lunarmodules/luaexpat/releases) ## License diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/examples.html new/luaexpat-1.5.1/docs/examples.html --- old/luaexpat-1.4.1/docs/examples.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/examples.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/index.html new/luaexpat-1.5.1/docs/index.html --- old/luaexpat-1.4.1/docs/index.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/index.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> @@ -65,15 +64,15 @@ <h2><a name="overview"></a>Overview</h2> <p>LuaExpat is a <a href="http://www.saxproject.org/";>SAX</a> XML parser based on the -<a href="https://www.libexpat.org/";>Expat</a> library.</p> +<a href="https://libexpat.github.io/";>Expat</a> library.</p> <p>LuaExpat is free software and uses the same <a href="license.html">MIT license</a> as Lua 5.1.</p> <h2><a name="status"></a>Status</h2> -<p>Current version is 1.4.1. It was developed for Lua 5.1 to Lua 5.4, and has been tested on -Linux, Windows (XP) and MacOS X with Expat 2.1.0.</p> +<p>Current version is 1.5.1. It was developed for Lua 5.1 to Lua 5.4, and has been tested on +Linux and MacOS X with Expat 2.4.0+.</p> <h2><a name="download"></a>Download</h2> @@ -90,6 +89,33 @@ <h2><a name="history"></a>History</h2> <dl class="history"> + <dt><strong>Version 1.5.1</strong> [03/Oct/2022]</dt> + <dd> + <ul> + <li>Fix: makefile no longer sets .lua files as executabel</li> + <li>Fix: makefile honors $RPM_OPT_FLAGS and $RPM_LD_FLAGS</li> + <li>Chore: added BLA test</li> + </ul> + </dd> + + <dt><strong>Version 1.5.0</strong> [26/Aug/2022]</dt> + <dd> + <ul> + <li><strong>warning:</strong> this update requires a minimum libExpat + version of 2.4.0. Though at the time of writing a minimum version of + 2.4.6 is recommended <a href="https://www.cvedetails.com/vulnerability-list.php?vendor_id=16735";> + due to CVE's fixed</a> in the intermediate versions.</li> + <li>Added option "allowDTD" to the threat protection parser.</li> + <li>Add configuration for Billion Laughs Attack prevention. This includes adding + <code>#include "expat_config.h"</code>, since these functions are conditionally + included in the exposed API of Expat. This means that LuaExpat will now be compiled + using the same options used to compile Expat itself.</li> + <li>Expose Expat compile time constants (lxp._EXPAT_FEATURES), see + <a href="https://libexpat.github.io/doc/api/latest/#XML_GetFeatureList";> + Expat documentation</a>.</li> + </ul> + </dd> + <dt><strong>Version 1.4.1</strong> [01/Apr/2022]</dt> <dd> <ul> @@ -175,19 +201,16 @@ </dd> <dt><strong>Version 1.0</strong> [2/Dec/2004]</dt> - <dd /> <dt><strong>Version 1.0 Beta</strong> [4/Apr/2004]</dt> - <dd /> <dt><strong>Version 1.0 Alpha</strong> [10/Dec/2003]</dt> - <dd /> </dl> <h2><a name="references"></a>References</h2> <p>LuaExpat uses the -<a href="https://www.libexpat.org/";>Expat</a> library. +<a href="https://libexpat.github.io/";>Expat</a> library. For details on the C API please refer to the article <a href="https://www.xml.com/pub/a/1999/09/expat/index.html?page=1";>"Using Expat"</a>.</p> @@ -199,7 +222,7 @@ Carregal and Tomás Guisasola as part of the Kepler Project which holds its copyright. The implementation was coded by Roberto Ierusalimschy, based on a previous design by -<a href="http://www.place.org/~nop/lua";>Jay Carlson</a>.</p> +<a href="https://www.place.org/~nop/lua";>Jay Carlson</a>.</p> <p>LuaExpat development was sponsored by <a href="http://www.fabricadigital.com.br";>Fábrica Digital</a> and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/license.html new/luaexpat-1.5.1/docs/license.html --- old/luaexpat-1.4.1/docs/license.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/license.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> @@ -68,7 +67,7 @@ LuaExpat is free software: it can be used for both academic and commercial purposes at absolutely no cost. There are no royalties or GNU-like "copyleft" restrictions. LuaExpat qualifies as <a href= -"https://www.opensource.org/docs/definition.html";>Open Source</a> +"https://opensource.org/docs/definition.html";>Open Source</a> software.</p> <p>The spirit of the license is that you are free to use LuaExpat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/lom.html new/luaexpat-1.5.1/docs/lom.html --- old/luaexpat-1.4.1/docs/lom.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/lom.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/manual.html new/luaexpat-1.5.1/docs/manual.html --- old/luaexpat-1.4.1/docs/manual.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/manual.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> @@ -65,7 +64,7 @@ <h2><a name="introduction"></a>Introduction</h2> <p>LuaExpat is a <a href="http://www.saxproject.org/";>SAX</a> XML -parser based on the <a href="https://www.libexpat.org/";>Expat</a> library. +parser based on the <a href="https://libexpat.github.io/";>Expat</a> library. SAX is the <em>Simple API for XML</em> and allows programs to: </p> @@ -206,6 +205,18 @@ <dd>Sets the <em>base</em> to be used for resolving relative URIs in system identifiers. Returns the parser object on success.</dd> + <dt><strong>parser:setblamaxamplification(max_amp)</strong></dt> + <dd>Sets the <em>maximum amplification</em> (float) to be allowed. This + protects against the Billion Laughs Attack. The + <em>libexpat</em> default is 100. Returns the parser object on success.<br/> + </dd> + + <dt><strong>parser:setblathreshold(threshold)</strong></dt> + <dd>Sets the <em>threshold</em> (int, in bytes) after which the protection + starts. This protects against the Billion Laughs Attack. The + <em>libexpat</em> default is 8 MiB. Returns the parser object on success.<br/> + </dd> + <dt><strong>parser:setencoding(encoding)</strong></dt> <dd>Set the encoding to be used by the parser. There are four built-in encodings, passed as strings: "US-ASCII", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/threat.html new/luaexpat-1.5.1/docs/threat.html --- old/luaexpat-1.4.1/docs/threat.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/threat.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> @@ -95,10 +94,12 @@ <h2><a name="options"></a>Options</h2> -<p>Structural checks:<p> +<p>Structural checks:</p> <ul> <li><strong>depth</strong> max depth of tags, child elements like Text or Comments are not counted as another level. Default 50.</li> + <li><strong>allowDTD</strong> boolean indicating whether DTDs are allowed. Default + <code>true</code>.</li> <li><strong>maxChildren</strong> max number of children (Element, Text, Comment, ProcessingInstruction, CDATASection).<br/><em>NOTE</em>: adjacent text/CDATA sections are counted as 1 (so text-cdata-text-cdata is 1 child). Default 100.</li> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/docs/totable.html new/luaexpat-1.5.1/docs/totable.html --- old/luaexpat-1.4.1/docs/totable.html 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/docs/totable.html 2022-10-03 11:23:43.000000000 +0200 @@ -1,5 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> +<!DOCTYPE html> <html> <head> <title>LuaExpat: XML Expat parsing for the Lua programming language</title> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/luaexpat-scm-1.rockspec new/luaexpat-1.5.1/luaexpat-scm-1.rockspec --- old/luaexpat-1.4.1/luaexpat-scm-1.rockspec 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/luaexpat-scm-1.rockspec 2022-10-03 11:23:43.000000000 +0200 @@ -3,7 +3,6 @@ local rockspec_revision = "1" local github_account_name = "lunarmodules" local github_repo_name = package_name -local git_checkout = package_version == "scm" and "master" or package_version package = package_name @@ -11,7 +10,8 @@ source = { url = "git+https://github.com/"..github_account_name.."/"..github_repo_name..".git";, - branch = git_checkout + branch = (package_version == "scm") and "master" or nil, + tag = (package_version ~= "scm") and package_version or nil, } description = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/rockspecs/luaexpat-1.5.0-1.rockspec new/luaexpat-1.5.1/rockspecs/luaexpat-1.5.0-1.rockspec --- old/luaexpat-1.4.1/rockspecs/luaexpat-1.5.0-1.rockspec 1970-01-01 01:00:00.000000000 +0100 +++ new/luaexpat-1.5.1/rockspecs/luaexpat-1.5.0-1.rockspec 2022-10-03 11:23:43.000000000 +0200 @@ -0,0 +1,51 @@ +local package_name = "luaexpat" +local package_version = "1.5.0" +local rockspec_revision = "1" +local github_account_name = "lunarmodules" +local github_repo_name = package_name + + +package = package_name +version = package_version .. "-" .. rockspec_revision + +source = { + url = "git+https://github.com/"..github_account_name.."/"..github_repo_name..".git";, + branch = (package_version == "scm") and "master" or nil, + tag = (package_version ~= "scm") and package_version or nil, +} + +description = { + summary = "XML Expat parsing", + detailed = [[ + LuaExpat is a SAX (Simple API for XML) XML parser based on the + Expat library. + ]], + license = "MIT/X11", + homepage = "https://"..github_account_name..".github.io/"..github_repo_name, +} + +dependencies = { + "lua >= 5.1" +} + +external_dependencies = { + EXPAT = { + header = "expat.h" + } +} + +build = { + type = "builtin", + modules = { + lxp = { + sources = { "src/lxplib.c" }, + libraries = { "expat" }, + incdirs = { "$(EXPAT_INCDIR)", "src/" }, + libdirs = { "$(EXPAT_LIBDIR)" }, + }, + ["lxp.lom"] = "src/lxp/lom.lua", + ["lxp.totable"] = "src/lxp/totable.lua", + ["lxp.threat"] = "src/lxp/threat.lua", + }, + copy_directories = { "docs" } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/rockspecs/luaexpat-1.5.1-1.rockspec new/luaexpat-1.5.1/rockspecs/luaexpat-1.5.1-1.rockspec --- old/luaexpat-1.4.1/rockspecs/luaexpat-1.5.1-1.rockspec 1970-01-01 01:00:00.000000000 +0100 +++ new/luaexpat-1.5.1/rockspecs/luaexpat-1.5.1-1.rockspec 2022-10-03 11:23:43.000000000 +0200 @@ -0,0 +1,51 @@ +local package_name = "luaexpat" +local package_version = "1.5.1" +local rockspec_revision = "1" +local github_account_name = "lunarmodules" +local github_repo_name = package_name + + +package = package_name +version = package_version .. "-" .. rockspec_revision + +source = { + url = "git+https://github.com/"..github_account_name.."/"..github_repo_name..".git";, + branch = (package_version == "scm") and "master" or nil, + tag = (package_version ~= "scm") and package_version or nil, +} + +description = { + summary = "XML Expat parsing", + detailed = [[ + LuaExpat is a SAX (Simple API for XML) XML parser based on the + Expat library. + ]], + license = "MIT/X11", + homepage = "https://"..github_account_name..".github.io/"..github_repo_name, +} + +dependencies = { + "lua >= 5.1" +} + +external_dependencies = { + EXPAT = { + header = "expat.h" + } +} + +build = { + type = "builtin", + modules = { + lxp = { + sources = { "src/lxplib.c" }, + libraries = { "expat" }, + incdirs = { "$(EXPAT_INCDIR)", "src/" }, + libdirs = { "$(EXPAT_LIBDIR)" }, + }, + ["lxp.lom"] = "src/lxp/lom.lua", + ["lxp.totable"] = "src/lxp/totable.lua", + ["lxp.threat"] = "src/lxp/threat.lua", + }, + copy_directories = { "docs" } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/spec/01-lxp_spec.lua new/luaexpat-1.5.1/spec/01-lxp_spec.lua --- old/luaexpat-1.4.1/spec/01-lxp_spec.lua 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/spec/01-lxp_spec.lua 2022-10-03 11:23:43.000000000 +0200 @@ -80,6 +80,8 @@ assert.is.string(lxp._DESCRIPTION) assert.is.string(lxp._COPYRIGHT) assert.is.string(lxp._EXPAT_VERSION) + assert.is.table(lxp._EXPAT_FEATURES) + assert.is.number(lxp._EXPAT_FEATURES.XML_CONTEXT_BYTES) end) @@ -96,9 +98,16 @@ end) - it("setbase, setencoding, close, and parse return parser upon success", function() + it("setbase, setblamaxamplification, setblathreshold, setencoding, close, and parse return parser upon success", function() assert.has.no.error(function() - lxp.new({}):setbase("/base"):setencoding("ISO-8859-1"):parse("<root/>"):parse():close():close() + lxp.new({}):setbase("/base"): + setblamaxamplification(55.55): + setblathreshold(1024*1024): + setencoding("ISO-8859-1"): + parse("<root/>"): + parse(): + close(): + close() end) end) @@ -1096,6 +1105,38 @@ + describe("BLA protection", function() + local bla_body = [[<?xml version="1.0"?> + <!DOCTYPE lolz [ + <!ENTITY lol "lol"> + <!ELEMENT lolz (#PCDATA)> + <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> + <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> + <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> + <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> + <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> + <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> + <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> + <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> + <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> + <!ENTITY lola "&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;"> + <!ENTITY lolb "&lola;&lola;&lola;&lola;&lola;&lola;&lola;&lola;&lola;&lola;"> + ]> + <lolz>&lolb;</lolz> + ]] + + it("fails if amplification too big", function() + local p = test_parser { "StartElement", "EndElement", "CharacterData" } + local ok, err = p:parse(bla_body) + assert.is_nil(ok) + assert.equal("limit on input amplification factor (from DTD and entities) breached", err) + end) + + + end) + + + describe("garbage collection", function() local gcinfo = function() return collectgarbage"count" end @@ -1117,7 +1158,7 @@ end collectgarbage() collectgarbage() - assert(math.abs(gcinfo() - x) <= 2) + assert.near(x, gcinfo(), 2) end) @@ -1149,7 +1190,7 @@ end collectgarbage() collectgarbage() - assert(math.abs(gcinfo() - x) <= 2) + assert.near(x, gcinfo(), 2) end) end) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/spec/02-threat_spec.lua new/luaexpat-1.5.1/spec/02-threat_spec.lua --- old/luaexpat-1.4.1/spec/02-threat_spec.lua 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/spec/02-threat_spec.lua 2022-10-03 11:23:43.000000000 +0200 @@ -155,6 +155,53 @@ + describe("allowDTD:", function() + + it("accepts if allowed", function() + local r, err = p:parse(d[[ + <?xml version="1.0" standalone="yes"?> + <!DOCTYPE test_doc [ + <!ELEMENT br EMPTY> + ]> + ]]) + + assert.equal(nil, err) + assert.truthy(r) + assert.same({ + { "XmlDecl", "1.0", nil, true }, + { "Default", "\n"}, + { "StartDoctypeDecl", "test_doc", nil, nil, true }, + { "Default", "\n\t"}, + { "ElementDecl", "br", "EMPTY" }, + { "Default", "\n"}, + { "EndDoctypeDecl" }, + { "Default", "\n\n"}, + }, cbdata) + end) + + + it("blocks if not allowed", function() + local old_dtd = threat.allowDTD + finally(function() + threat.allowDTD = old_dtd + end) + threat.allowDTD = false + + local r, err = p:parse(d[[ + <?xml version="1.0" standalone="yes"?> + <!DOCTYPE test_doc [ + <!ELEMENT br EMPTY> + ]> + ]]) + + assert.equal("DTD is not allowed", err) + assert.falsy(r) + end) + + end) + + + describe("children:", function() it("accepts on the edge (3)", function() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/src/lxp/threat.lua new/luaexpat-1.5.1/src/lxp/threat.lua --- old/luaexpat-1.4.1/src/lxp/threat.lua 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/src/lxp/threat.lua 2022-10-03 11:23:43.000000000 +0200 @@ -16,6 +16,7 @@ local defaults = { depth = 50, -- depth of tags + allowDTD = true, -- is a DTD allowed -- counts maxChildren = 100, -- max number of children (DOM2; Element, Text, Comment, @@ -56,7 +57,9 @@ -- apply defaults for setting, value in pairs(defaults) do - checks[setting] = checks[setting] or value + if checks[setting] == nil then + checks[setting] = value + end end if separator == nil then checks.maxNamespaces = nil @@ -119,6 +122,14 @@ local ok, err = parser:setbase(base) return ok == parser and p or ok, err end + function p:setblamaxamplification(amp) + local ok, err = parser:setblamaxamplification(amp) + return ok == parser and p or ok, err + end + function p:setblathreshold(threshold) + local ok, err = parser:setblathreshold(threshold) + return ok == parser and p or ok, err + end function p:setencoding(encoding) local ok, err = parser:setencoding(encoding) return ok == parser and p or ok, err @@ -274,6 +285,9 @@ elseif key == "StartDoctypeDecl" then -- TODO: implement ncb = function(parser, name, sysid, pubid, has_internal_subset) + if not checks.allowDTD then + return threat_error("DTD is not allowed") + end return callbacks.StartDoctypeDecl(p, name, sysid, pubid, has_internal_subset) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/src/lxplib.c new/luaexpat-1.5.1/src/lxplib.c --- old/luaexpat-1.4.1/src/lxplib.c 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/src/lxplib.c 2022-10-03 11:23:43.000000000 +0200 @@ -9,7 +9,11 @@ #include <stdlib.h> #include <string.h> +#include "expat_config.h" #include "expat.h" +#if (XML_MAJOR_VERSION == 2 && XML_MINOR_VERSION < 4) || (XML_MAJOR_VERSION < 2) +#error Expat 2.4 or newer is required +#endif #include "lua.h" #include "lauxlib.h" @@ -712,6 +716,7 @@ return 1; } + static int lxp_setencoding (lua_State *L) { lxp_userdata *xpu = checkparser(L, 1); const char *encoding = luaL_checkstring(L, 2); @@ -721,12 +726,41 @@ return 1; } + static int lxp_stop (lua_State *L) { lxp_userdata *xpu = checkparser(L, 1); lua_pushboolean(L, XML_StopParser(xpu->parser, XML_FALSE) == XML_STATUS_OK); return 1; } + +/* Billion Laughs Attack mitigation from Expat 2.4.0+ */ +#ifdef XML_DTD +static int lxp_bla_maximum_amplification (lua_State *L) { + lxp_userdata *xpu = checkparser(L, 1); + if (! XML_SetBillionLaughsAttackProtectionMaximumAmplification(xpu->parser, luaL_checknumber(L, 2))) { + lua_pushnil(L); + lua_pushliteral(L, "failed to set BLA maximum amplification"); + return 2; + } + lua_settop(L, 1); + return 1; +} + + +static int lxp_bla_activation_threshold (lua_State *L) { + lxp_userdata *xpu = checkparser(L, 1); + if (! XML_SetBillionLaughsAttackProtectionActivationThreshold(xpu->parser, luaL_checkinteger(L, 2))) { + lua_pushnil(L); + lua_pushliteral(L, "failed to set BLA activation threshold"); + return 2; + } + lua_settop(L, 1); + return 1; +} +#endif + + #if !defined LUA_VERSION_NUM /* Lua 5.0 */ #define luaL_Reg luaL_reg @@ -750,6 +784,10 @@ {"setbase", setbase}, {"returnnstriplet", lxp_setreturnnstriplet}, {"stop", lxp_stop}, +#ifdef XML_DTD + {"setblamaxamplification", lxp_bla_maximum_amplification}, + {"setblathreshold", lxp_bla_activation_threshold}, +#endif {NULL, NULL} }; @@ -775,6 +813,17 @@ lua_pushliteral (L, "_EXPAT_VERSION"); lua_pushstring (L, XML_ExpatVersion()); lua_settable (L, -3); + /* create feature list */ + lua_pushliteral (L, "_EXPAT_FEATURES"); + lua_newtable (L); + + const XML_Feature *features; + for (features = XML_GetFeatureList (); features->name != NULL; features++) { + lua_pushstring (L, features->name); + lua_pushinteger (L, features->value); + lua_settable (L, -3); + } + lua_settable (L, -3); } int luaopen_lxp (lua_State *L) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/luaexpat-1.4.1/src/lxplib.h new/luaexpat-1.5.1/src/lxplib.h --- old/luaexpat-1.4.1/src/lxplib.h 2022-04-01 10:20:20.000000000 +0200 +++ new/luaexpat-1.5.1/src/lxplib.h 2022-10-03 11:23:43.000000000 +0200 @@ -3,7 +3,7 @@ */ #define LuaExpatCopyright "Copyright (C) 2003-2007 The Kepler Project, 2013-2022 Matthew Wild" -#define LuaExpatVersion "LuaExpat 1.4.1" +#define LuaExpatVersion "LuaExpat 1.5.1" #define ParserType "Expat" #define StartCdataKey "StartCdataSection"
