lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2026-01-26 21:41:34 +03:00
Code Activity
7,677 Commits 24 Branches 238 Tags
f1e1f13b766eb580a8dcc0c4e7a447346dfd862e
Commit Graph

7677 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nick Wellnhofer
f1e1f13b76 tree: Guard against atype corruption 
Always remove ids if `id` member is set.

Untested, but this should fix CVE-2025-7425 reported against libxslt:

https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
 2025-08-05 22:59:31 +02:00
Nick Wellnhofer
152fbb60a9 parser: Make sure to stop parser before checking max errors 
Short-lived regression from 7a41b18c.
 2025-08-03 18:26:29 +02:00
Nick Wellnhofer
149c04c02d html: Escape < and > when serializing attributes 
This reverts the change in cdaf657f. Coincidentally, the HTML spec just
changed to mandate the old escaping behavior:

https://github.com/whatwg/html/issues/6235

Fixes #957.
 2025-08-02 15:03:18 +02:00
Nick Wellnhofer
3b96ec75ab doc: Document deprecated default SAX handler globals 2025-08-02 14:12:17 +02:00
Nick Wellnhofer
00314882ed meson: Add -Wmissing-variable-declarations 
Originally clang-only, gcc supports this option since version 14.

This catches errors like #961.
 2025-08-01 15:46:08 +02:00
Nick Wellnhofer
37bd4b284a globals: Include HTMLparser.h, fixing Windows build 
Regressed with c011e760 and 85bd58ef.

Fixes #961.
 2025-08-01 15:30:46 +02:00
Nick Wellnhofer
43f7ff0a9e tests: Make global variables static 2025-08-01 15:27:11 +02:00
Nick Wellnhofer
8436916097 doc: Add another warning to XML_PARSE_DTDVALID 
While most parts of libxml2, including the parser, are still vulnerable
to such attacks, it is unlikely that DTD validation will ever be fixed.
 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
859899a87e doc: Document option handling of deprecated "SAX1" functions 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
ab4a7f3011 doc: Document deprecated xmlBuffer members 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
af464de1f3 io: Deprecate xmlOutputBuffer members 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
6c0188549b io: Deprecate xmlParserInputBuffer members 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
2cc77c3a81 fuzz: Stop using xmlParserInputBuffer 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
7deae0f80f python: Switch to *CreateIO functions 
Avoid using deprecated struct members.
 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
d1c3391eaf tests: Silence testparser 
Regressed with bd9d5e39.
 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
8689523ad9 parser: Implement xmlCtxtGetInputWindow 
See #762.
 2025-07-31 15:20:20 +02:00
Nick Wellnhofer
469c847f4d parser: Split out xmlParserInputGetWindow 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
8aaa53d712 parser: Implement xmlCtxtGetInputPosition 
See #762.
 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
144ed959a5 parser: Move xmlSaturatedAdd to private header 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
e3daef5c78 parser: Fix xmlSaturatedAddSizeT argument type 
This is only used for entity size accounting. The bug only affected
platforms where sizeof(long) != sizeof(size_t) and was probably
harmless.
 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
a7fc9e1add parser: Add more parser context accessors 
The only thing remaining is access to parser input, see #762.
 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
a2562b9d8a doc: Improve documentation of error levels 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
7a41b18c62 parser: Remove xmlHaltParser 
Always halt the parser on resource limit and entity loop errors and
remove the remaining calls which seem unnecessary.
 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
cdf4c6f1a2 doc: Mention XML_PARSE_NOERROR in more places 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
77700d3d0a doc: Mention tree API bugs in old versions 2025-07-31 14:23:23 +02:00
Nick Wellnhofer
c5e7ff09b2 tree: More xmlNodeParseContent cleanup 
- Rename to xmlNodeParseAttValue
- Rework argument types
- Remove wrapper function
 2025-07-31 14:23:23 +02:00
Caolán McNamara
408bd0e18e const up allowPCData 
similar to htmlScriptAttributes
 2025-07-24 11:13:58 +01:00
Nick Wellnhofer
0a4fe2f94a io: Fix argument type 
See c70d88f1 and #951.
 2025-07-20 18:52:06 +02:00
Nick Wellnhofer
e117405749 tree: Don't reference recursive entities in xmlNodeParseContent 
Improve protection against entity cycles when using tree API.
 2025-07-20 13:10:15 +02:00
Nick Wellnhofer
c70d88f19a io: Fix reading from pipes like stdin on Windows 
On Windows, lseek doesn't return an error on unseekable streams like
pipes.

Fixes #951.
 2025-07-20 13:10:15 +02:00
Peter Kokot
8f1cc9151e CMake: Add selector to CMAKE_DL_LIBS transformation 
At the time of writing, on AIX, the CMAKE_DL_LIBS is set to "-lld",
which presents the dependency for using dynamic loading on some old AIX
versions. This ensures that resulting list of linker flags on AIX is
also properly formatted (without adding additional "-l").
 2025-07-18 22:43:49 +02:00
Peter Kokot
a3d2c17713 CMake: Fix dlopen check 
Systems can have dlopen symbol in various libraries. For example, on
Haiku, dlopen is in 'root' library, which is linked by default.

The CMAKE_DL_LIBS variable is automatically set by CMake and contains
the name of the library or libraries that contain dynamic loading
functionality. CMakePushCheckState checks for the symbol in isolation,
so the required libraries variable can be modified.
 2025-07-17 16:01:11 +02:00
Nick Wellnhofer
4d69f91b25 valid: Make validation fail if warnings cause OOM error 
Make xmlErrValidWarning return -1 on malloc failures.
 2025-07-14 17:24:54 +02:00
Nick Wellnhofer
0c948334a8 html: Add newline to error message 2025-07-10 12:46:40 +02:00
Nick Wellnhofer
bc0bb67b57 html: Don't abort on encoding errors 
Always enable recovery mode when parsing HTML, so we don't raise fatal
errors.

Regressed with 462bf0b7. Fixes #947.
 2025-07-10 12:46:22 +02:00
Nick Wellnhofer
3773bb3f89 tree: Make sure that SIZE_MAX is defined 2025-07-09 16:09:56 +02:00
Nick Wellnhofer
6340f39284 doc: Document HTML type aliases 2025-07-09 15:19:46 +02:00
Nick Wellnhofer
bd9d5e39ec parser: Fix handling of invalid char refs in recovery mode 
Revert to the old behavior which handles invalid char refs more
gracefully. Probably regressed with 37c6618b (version 2.13.0).
 2025-07-09 14:58:26 +02:00
Nick Wellnhofer
6c796b3792 doc: Misc fixes 2025-07-09 13:17:39 +02:00
Nick Wellnhofer
c7a9ef1d66 doc: Document struct typedefs 
Unfortunately, Doxygen's TYPDEF_HIDES_STRUCT option is too broken.
Document struct typedefs to make autolinks work.
 2025-07-04 16:47:42 +02:00
Nick Wellnhofer
71e1e8af5e schematron: Fix memory safety issues in xmlSchematronReportOutput 
Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
in xmlSchematronReportOutput.

Fixes #931.
Fixes #933.
 2025-07-04 14:44:54 +02:00
Nick Wellnhofer
24d7e15914 schematron: Complete fix for CVE-2025-49795 
- Fix memory leaks
- Fix tests
 2025-07-04 12:46:29 +02:00
Michael Mann
499bcb78ab Schematron: Fix null pointer dereference leading to DoS 
(CVE-2025-49795)

Fixes #932
 2025-07-04 09:35:14 +00:00
Michael Mann
069bcda17d Fix potential buffer overflows of interactive shell 
CVE-2025-6170

Fixes #941
 2025-07-02 13:29:19 -04:00
Nick Wellnhofer
c34742f301 tests: Fix build --without-output 2025-06-30 16:23:54 +02:00
Nick Wellnhofer
9553695d17 relaxng: Make xmlRelaxNGDump depend on debug option 2025-06-30 16:23:54 +02:00
Omar Siam
9760a14fb9 relaxng: In the simplification step also unlink notAllowed refs from choice 
This fixes false reports of non allowed content compared to notAllowed as tag within the choice tag.
 2025-06-30 13:47:33 +00:00
Nick Wellnhofer
56a767ed58 doc: Small fix 2025-06-28 15:21:44 +02:00
Nick Wellnhofer
0d52684e31 parser: Don't set dict limit when setting options 
This is done in xmlCtxtInitializeLate.
 2025-06-28 15:21:44 +02:00
Nick Wellnhofer
1b737cc810 parser: Another fix to ]]> detection in push parser 
The original fix for issue #850 in commit 9efe1414 was incomplete.
 2025-06-28 15:21:20 +02:00