[xml/sgml-pkgs] Bug#770836: libxml2: please consider adding a patch fixing invalid output
Aron Xu
aron at debian.org
Fri Jan 30 06:05:14 UTC 2015
On Mon, Nov 24, 2014 at 10:22 PM, Thorsten Glaser <t.glaser at tarent.de> wrote:
> Source: libxml2
> Version: 2.9.2+dfsg1-1
> Severity: wishlist
> Tags: patch upstream forwarded-upstream
> Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=739574
>
> Hi,
>
> please consider applying the attached patch in subsequent uploads,
> at least until upstream has integrated it. It fixes:
>
> • replace several ad-hōc UTF-8 decoders with calls to one that
> does the thing right (validate input string length and encoding,
> and check for minimal encoded values)
>
> • in several places, check the values for being actually ok in
> XML documents, which limits what Unicode codepoints may be used
> ‣ when there was already error handling in place, re-use that
> ‣ otherwise silently drop the characters, to not break any
> existing application
>
> This prevents e.g. a SOAP-WS client written in PHP from sending
> invalid XML as SOAP request over the wire for strings containing
> e.g. literal backspace characters.
>
I'd rather wait for upstream's reaction for a longer time, since
deltas to libxml2 from upstream must be dealt carefully (as said, the
more you read the code then...).
Thanks,
Aron
More information about the debian-xml-sgml-pkgs
mailing list