From: DongHun Kwak Date: Mon, 25 Jul 2022 01:33:46 +0000 (+0900) Subject: Imported Upstream version 2.25 X-Git-Tag: upstream/2.25^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9fe7e47a85ce75fe430beac44cad097e99834408;p=platform%2Fupstream%2Fperl-XML-Simple.git Imported Upstream version 2.25 --- diff --git a/Changes b/Changes index 585bdca..4568b75 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,10 @@ Revision history for XML-Simple +2.25 2018-03-18 16:18:24+13:00 Pacific/Auckland + - disable entity expansion when using XML::Parser, for more secure default + behaviour (patch from Ray Morris) + - call to XML::Parser constructor is now in its own method to ease overriding + 2.24 2017-04-17 16:12:00+12:00 Pacific/Auckland - fix typo in last commit with mistakenly removed some underscores - don't initialise $XML::Simple::PREFERRED_PARSER to undef as a caller may diff --git a/LICENSE b/LICENSE index 3927bc0..71aa94c 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -This software is copyright (c) 2015 by Grant McLean. +This software is copyright (c) 2018 by Grant McLean. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. @@ -12,7 +12,7 @@ b) the "Artistic License" --- The GNU General Public License, Version 1, February 1989 --- -This software is Copyright (c) 2015 by Grant McLean. +This software is Copyright (c) 2018 by Grant McLean. This is free software, licensed under: @@ -272,7 +272,7 @@ That's all there is to it! --- The Artistic License 1.0 --- -This software is Copyright (c) 2015 by Grant McLean. +This software is Copyright (c) 2018 by Grant McLean. This is free software, licensed under: diff --git a/MANIFEST b/MANIFEST index 036fd95..e97c2ed 100644 --- a/MANIFEST +++ b/MANIFEST @@ -22,6 +22,7 @@ t/8_Namespaces.t t/9_Strict.t t/A_XMLParser.t t/B_Hooks.t +t/C_External_Entities.t t/author-pod-syntax.t t/desertnet.src t/lib/TagsToUpper.pm diff --git a/META.json b/META.json index d82ce98..521102b 100644 --- a/META.json +++ b/META.json @@ -34,6 +34,7 @@ }, "test" : { "requires" : { + "File::Temp" : "0", "Test::More" : "0.88" } } @@ -46,6 +47,6 @@ "web" : "https://github.com/grantm/xml-simple" } }, - "version" : "2.24" + "version" : "2.25" } diff --git a/META.yml b/META.yml index 0644a3d..4b767e9 100644 --- a/META.yml +++ b/META.yml @@ -3,6 +3,7 @@ abstract: 'An API for simple XML files' author: - 'Grant McLean ' build_requires: + File::Temp: '0' Test::More: '0.88' configure_requires: ExtUtils::MakeMaker: '0' @@ -20,4 +21,4 @@ requires: perl: '5.008' resources: repository: git://github.com/grantm/xml-simple.git -version: '2.24' +version: '2.25' diff --git a/Makefile.PL b/Makefile.PL index 624129b..524a9f6 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -22,9 +22,10 @@ my %WriteMakefileArgs = ( "XML::SAX::Expat" => 0 }, "TEST_REQUIRES" => { + "File::Temp" => 0, "Test::More" => "0.88" }, - "VERSION" => "2.24", + "VERSION" => "2.25", "test" => { "TESTS" => "t/*.t" } @@ -32,6 +33,7 @@ my %WriteMakefileArgs = ( my %FallbackPrereqs = ( + "File::Temp" => 0, "Test::More" => "0.88", "XML::NamespaceSupport" => "1.04", "XML::SAX" => "0.15", diff --git a/README b/README index bfc72e8..4c88fec 100644 --- a/README +++ b/README @@ -1,11 +1,11 @@ This archive contains the distribution XML-Simple, -version 2.24: +version 2.25: An API for simple XML files -This software is copyright (c) 2015 by Grant McLean. +This software is copyright (c) 2018 by Grant McLean. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. diff --git a/dist.ini b/dist.ini index 67756e0..d2f02c2 100644 --- a/dist.ini +++ b/dist.ini @@ -1,9 +1,9 @@ name = XML-Simple author = Grant McLean -version = 2.24 +version = 2.25 license = Perl_5 copyright_holder = Grant McLean -copyright_year = 2015 +copyright_year = 2018 main_module = lib/XML/Simple.pm repository = git://github.com/grantm/xml-simple.git @@ -24,3 +24,4 @@ XML::NamespaceSupport = 1.04 [Prereqs / TestRequires] Test::More = 0.88 +File::Temp = 0 diff --git a/lib/XML/Simple.pm b/lib/XML/Simple.pm index c08df57..afcbd81 100644 --- a/lib/XML/Simple.pm +++ b/lib/XML/Simple.pm @@ -1,12 +1,12 @@ package XML::Simple; -$XML::Simple::VERSION = '2.24'; +$XML::Simple::VERSION = '2.25'; =head1 NAME XML::Simple - An API for simple XML files =head1 SYNOPSIS -You really don't want to use this module in new code. If you ignore this +PLEASE DO NOT USE THIS MODULE IN NEW CODE. If you ignore this warning and use it anyway, the C mode will save you a little pain. use XML::Simple qw(:strict); @@ -427,7 +427,8 @@ sub build_tree_xml_parser { carp "'nsexpand' option requires XML::SAX"; } - my $xp = XML::Parser->new(Style => 'Tree', @{$self->{opt}->{parseropts}}); + my $xp = $self->new_xml_parser(); + my($tree); if($filename) { # $tree = $xp->parsefile($filename); # Changed due to prob w/mod_perl @@ -442,6 +443,23 @@ sub build_tree_xml_parser { } +############################################################################## +# Method: new_xml_parser() +# +# Simply calls the XML::Parser constructor. Override this method to customise +# the behaviour of the parser. +# + +sub new_xml_parser { + my($self) = @_; + + my $xp = XML::Parser->new(Style => 'Tree', @{$self->{opt}->{parseropts}}); + $xp->setHandlers(ExternEnt => sub {return $_[2]}); + + return $xp; +} + + ############################################################################## # Method: cache_write_storable() # @@ -1906,10 +1924,13 @@ __END__ =head1 STATUS OF THIS MODULE -The use of this module in new code is discouraged. Other modules are available -which provide more straightforward and consistent interfaces. In particular, -L is highly recommended and L is an excellent -alternative. +The use of this module in new code is B. Other modules +are available which provide more straightforward and consistent interfaces. In +particular, L is highly recommended and you can refer to +L +for a tutorial introduction. + +L is another excellent alternative. The major problems with this module are the large number of options (some of which have unfortunate defaults) and the arbitrary ways in which these options @@ -2871,6 +2892,11 @@ by examining the source, but those may be subject to change in future releases. =over 4 +=item new_xml_parser() + +This method will be called when a new XML::Parser object must be constructed +(either because XML::SAX is not installed or XML::Parser is preferred). + =item handle_options(direction, name => value ...) This method will be called when one of the parsing methods or the C diff --git a/lib/XML/Simple/FAQ.pod b/lib/XML/Simple/FAQ.pod index 77a6fcc..de4138e 100644 --- a/lib/XML/Simple/FAQ.pod +++ b/lib/XML/Simple/FAQ.pod @@ -6,21 +6,34 @@ XML::Simple::FAQ - Frequently Asked Questions about XML::Simple =head1 Basics -=head2 What is XML::Simple designed to be used for? +=head2 What should I use XML::Simple for? -XML::Simple is a Perl module that was originally developed as a tool for -reading and writing configuration data in XML format. You can use it for -many other purposes that involve storing and retrieving structured data in -XML. +Nothing! + +It's as simple as that. + +Choose a better module. See +L +for a gentle introduction to L with lots of examples. -You might also find XML::Simple a good starting point for playing with XML -from Perl. It doesn't have a steep learning curve and if you outgrow its -capabilities there are plenty of other Perl/XML modules to 'step up' to. + +=head2 What was XML::Simple designed to be used for? + +XML::Simple is a Perl module that was originally developed as a tool for +reading and writing configuration data in XML format. You could use it for +other purposes that involve storing and retrieving structured data in +XML but it's likely to be a frustrating experience. =head2 Why store configuration data in XML anyway? -The many advantages of using XML format for configuration data include: +It seemed like a good idea at the time. Now, I use and recommend +L which uses a format similar to that used by the Apache web +server. This is easier to read than XML while still allowing advanced concepts +such as nested sections. + +At the time XML::Simple was written, the advantages of using XML format for +configuration data were thought to include: =over 4 @@ -75,6 +88,13 @@ content' (see the next question). If you consider your XML files contain marked up text rather than structured data, you should probably use another module. +If your source XML documents change regularly, it's likely that you will +experience intermittent failures. In particular, failure to properly use the +ForceArray and KeyAttr options will produce code that works when you get a list +of elements with the same name, but fails when there's only one item in the +list. These types of problems can be avoided by not using XML::Simple in the +first place. + If you are working with very large XML files, XML::Simple's approach of representing the whole file in memory as a 'tree' data structure may not be suitable. @@ -131,8 +151,10 @@ FAQ at: =head2 How do I install XML::Simple? -If you're running ActiveState Perl, you've probably already got XML::Simple -(although you may want to upgrade to version 1.09 or better for SAX support). +If you're running ActiveState Perl, or +L you've probably already got +XML::Simple and therefore do not need to install it at all. But you probably +also have L, which is a much better module, so just use that. If you do need to install XML::Simple, you'll need to install an XML parser module first. Install either XML::Parser (which you may have already) or @@ -216,14 +238,12 @@ XML::SAX::Expat or XML::LibXML. =head2 How do I use XML::Simple? -If you had an XML document called /etc/appconfig/foo.xml you could 'slurp' it -into a simple data structure (typically a hashref) with these lines of code: - - use XML::Simple; - - my $config = XMLin('/etc/appconfig/foo.xml'); +If you don't know how to use XML::Simple then the best approach is to +L +instead. Stop reading this document and use that one instead. -The XMLin() function accepts options after the filename. +If you are determined to use XML::Simple, it come with copious documentation, +so L. =head2 There are so many options, which ones do I really need to know about? diff --git a/t/C_External_Entities.t b/t/C_External_Entities.t new file mode 100644 index 0000000..11dbce1 --- /dev/null +++ b/t/C_External_Entities.t @@ -0,0 +1,35 @@ +use strict; +use warnings; +use Test::More; +use File::Temp qw(tempfile); + +eval { require XML::Parser; }; +if($@) { + plan skip_all => 'no XML::Parser'; +} + +plan tests => 2; + +use XML::Simple; + +$XML::Simple::PREFERRED_PARSER = 'XML::Parser'; + +my ($fh, $filename) = tempfile(UNLINK => 1); +print $fh "bad"; +close $fh; + +my $xml = qq( + +]> + + &xxe; + mypass + +); + +my $opt = XMLin($xml); +isnt($opt->{'user'}, 'bad', 'External entity not retrieved'); +like($opt->{'user'}, qr/^file/, 'External entity left as URL'); + +unlink($filename) if (-f $filename); +exit(0);