search

shlomif / perl-XML-LibXML

The XML-LibXML CPAN Distribution for Processing XML using the libxml2 library
https://metacpan.org/release/XML-LibXML
Other
17 stars 35 forks source link

Default value for option load_ext_dtd is 0. Default value for option expand_entities is 0 #48

Closed thibaultduponchelle closed 3 years ago

thibaultduponchelle commented 4 years ago

Hello,

Following my other PR I double checked and I propose this documentation update. Seems related to a recent security change (align to libxml2 behavior concerning xxe security issue)

#!/usr/bin/env perl

use XML::LibXML;

my $parser = XML::LibXML->new();
print "Test default values\n";
print "Default expand_entities() [" . $parser->expand_entities() ."]\n";
print "Default load_ext_dtd() [" . $parser->load_ext_dtd() ."]\n";

$parser = XML::LibXML->new();
$parser->expand_entities(1);
print "Set expand_entities then test default values :\n";
print "expand_entities() [" . $parser->expand_entities() ."]\n";
print "load_ext_dtd() [" . $parser->load_ext_dtd() ."]\n";

$parser = XML::LibXML->new();
$parser->expand_entities(1);
$parser->set_option(load_ext_dtd => 0);
print "Set expand_entities and unset load_ext_dtd then test default values :\n";
print "expand_entities() [" . $parser->expand_entities() ."]\n";
print "load_ext_dtd() [" . $parser->load_ext_dtd() ."]\n";

Is producing : 

Test default values
Default expand_entities() [0]
Default load_ext_dtd() [0]
Set expand_entities then test default values :
expand_entities() [1]
load_ext_dtd() [1]
Set expand_entities and unset load_ext_dtd then test default values :
expand_entities() [1]
load_ext_dtd() [0]

Best regards.

Thibault

thibaultduponchelle commented 4 years ago

This pull request could be merged independently from #47 (no mention of complete_attributes) because it updates doc to current XML::LibXML behaviour

It is linked to #39

thibaultduponchelle commented 3 years ago

Hello,

It's only a doc change, I think it could be merged. WDYT ?

gregoa commented 2 years ago

This issue came to my attention by a note from @vinc17fr in the Debian bug tracker at https://bugs.debian.org/1003810 where they notice that the documentation doesn't match the changed behaviour. Also @timretout commented in #39 that the docs still need fixing.

Not sure why this PR was closed half a year ago, but I hope there still is a possibility that the behaviour changes can be documented? I guess that might help other surprised users :)

Cheers, gregor, Debian Perl Group

thibaultduponchelle commented 2 years ago

Hello @gregoa 😃

I closed this PR (and the other) because of inactivity.

gregoa commented 2 years ago

Well, as the problem, in my understanding, still persists -- may I suggest you re-open it? (Or, if @shlomif prefers, I can open a new issue.)

thibaultduponchelle commented 2 years ago

I can't reopen these PRs since I deleted my forks (even trying to push again the branches, link is broken and keep broken).

I will reopen 2 new PRs.

gregoa commented 2 years ago

Thanks!