@@ -1,5 +1,11 @@
Revision history for Perl module XML::RSS
+1.56 2014-12-04
+ - Fix https://rt.cpan.org/Ticket/Display.html?id=100660
+ - XML External Entities Exploit, as reported here:
+ - http://mikeknoop.com/lxml-xxe-exploit/
+ - Security.
+
1.55 2014-04-15
- Fix the tests for DateTime-Format-Mail-0.400.
@@ -4,7 +4,7 @@
"Shlomi Fish <shlomif@cpan.org>"
],
"dynamic_config" : 1,
- "generated_by" : "Module::Build version 0.4205",
+ "generated_by" : "Module::Build version 0.421",
"keywords" : [
"feed",
"feeds",
@@ -52,7 +52,7 @@
"provides" : {
"XML::RSS" : {
"file" : "lib/XML/RSS.pm",
- "version" : "1.55"
+ "version" : "1.56"
},
"XML::RSS::Private::Output::Base" : {
"file" : "lib/XML/RSS/Private/Output/Base.pm"
@@ -86,5 +86,5 @@
"url" : "https://github.com/shlomif/perl-XML-RSS"
}
},
- "version" : "1.55"
+ "version" : "1.56"
}
@@ -8,7 +8,7 @@ build_requires:
configure_requires:
Module::Build: '0.36'
dynamic_config: 1
-generated_by: 'Module::Build version 0.4205, CPAN::Meta::Converter version 2.140640'
+generated_by: 'Module::Build version 0.421, CPAN::Meta::Converter version 2.142060'
keywords:
- feed
- feeds
@@ -29,7 +29,7 @@ name: XML-RSS
provides:
XML::RSS:
file: lib/XML/RSS.pm
- version: '1.55'
+ version: '1.56'
XML::RSS::Private::Output::Base:
file: lib/XML/RSS/Private/Output/Base.pm
XML::RSS::Private::Output::Roles::ImageDims:
@@ -55,4 +55,4 @@ resources:
homepage: http://perl-rss.sourceforge.net/
license: http://dev.perl.org/licenses/
repository: https://github.com/shlomif/perl-XML-RSS
-version: '1.55'
+version: '1.56'
@@ -16,7 +16,7 @@ use vars qw($VERSION $AUTOLOAD @ISA $AUTO_ADD);
require 5.008;
-$VERSION = '1.55';
+$VERSION = '1.56';
$AUTO_ADD = 0;
@@ -1267,6 +1267,9 @@ sub _get_parser {
# Detach the parser to avoid reference loops.
$self->_parser(undef);
},
+ ExternEnt => sub {
+ return '';
+ },
}
);
}
@@ -3,7 +3,7 @@
use strict;
use warnings;
-use Test::More tests => 13;
+use Test::More tests => 14;
use XML::RSS;
use File::Spec;
@@ -195,3 +195,33 @@ EOF
"media:desc type is OK.",
);
}
+
+{
+ my $rss = XML::RSS->new();
+
+ $rss->parse(<<'EOF');
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+ <title>The Blog</title>
+ <link>http://example.com/</link>
+ <description>A blog about things</description>
+ <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
+ <item>
+ <title>Without&xxe;Entity</title>
+ <link>http://example.com</link>
+ <description>a post</description>
+ <author>author@example.com</author>
+ <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
+ </item>
+</channel>
+</rss>
+EOF
+
+ # TEST
+ is ($rss->{items}->[0]->{title}, "WithoutEntity",
+ "Fix for RT #100660 - XML External Entities Exploit",
+ );
+}