Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix JRuby SAX parser entity handling (v1.12.x backport) #2329

Merged
merged 3 commits into from
Sep 26, 2021

Conversation

flavorjones
Copy link
Member

@flavorjones flavorjones commented Sep 26, 2021

What problem is this PR intended to solve?

GHSA-2rr5-8q37-2w7h (may be private for now)

This is a backport of #2328 for a v1.12.x patch release.

Have you included adequate test coverage?

Yes.

Does this change affect the behavior of either the C or the Java implementations?

The Java implementation behavior now matches the C implementation behavior.

- xml/sax/test_parser.rb
- xml/sax/test_push_parser.rb
NokogiriErrorHandler stores RubyException but also accepts (and
type-converts) Exception and RaiseException.

NokgiriHandler uses NokogiriErrorHandler under the hood.

NokogiriErrorHandler classes use addError consistently everywhere.
to avoid XXE injections.

This behavior now matches the CRuby implementation.
@flavorjones flavorjones changed the base branch from main to v1.12.x September 26, 2021 19:45
@flavorjones flavorjones merged commit 6b60637 into v1.12.x Sep 26, 2021
@flavorjones flavorjones deleted the flavorjones-GHSA-2rr5-8q37-2w7h_1.12.x branch September 26, 2021 21:43
@flavorjones flavorjones added the backport Backport of a PR to the current release branch label Jan 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport Backport of a PR to the current release branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant