[xml/sgml-pkgs] Bug#770836: libxml2: please consider adding a patch fixing invalid output

Aron Xu aron at debian.org
Fri Jan 30 06:05:14 UTC 2015

On Mon, Nov 24, 2014 at 10:22 PM, Thorsten Glaser <t.glaser at tarent.de> wrote:
> Source: libxml2
> Version: 2.9.2+dfsg1-1
> Severity: wishlist
> Tags: patch upstream forwarded-upstream
> Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=739574
> Hi,
> please consider applying the attached patch in subsequent uploads,
> at least until upstream has integrated it. It fixes:
> • replace several ad-hōc UTF-8 decoders with calls to one that
>   does the thing right (validate input string length and encoding,
>   and check for minimal encoded values)
> • in several places, check the values for being actually ok in
>   XML documents, which limits what Unicode codepoints may be used
>   ‣ when there was already error handling in place, re-use that
>   ‣ otherwise silently drop the characters, to not break any
>     existing application
> This prevents e.g. a SOAP-WS client written in PHP from sending
> invalid XML as SOAP request over the wire for strings containing
> e.g. literal backspace characters.

I'd rather wait for upstream's reaction for a longer time, since
deltas to libxml2 from upstream must be dealt carefully (as said, the
more you read the code then...).


More information about the debian-xml-sgml-pkgs mailing list