Search the CPAN - metacpan.org

Changes	0 6
META.json	3 3
META.yml	3 3
lib/XML/RSS.pm	1 4
t/2.0-parse-2.t	1 31
5 files changed (This is a version diff)	847

Changes

@@ -1,5 +1,11 @@
 Revision history for Perl module XML::RSS
 
+1.56    2014-12-04
+    - Fix https://rt.cpan.org/Ticket/Display.html?id=100660
+        - XML External Entities Exploit, as reported here:
+            - http://mikeknoop.com/lxml-xxe-exploit/
+        - Security.
+
 1.55    2014-04-15
     - Fix the tests for DateTime-Format-Mail-0.400.

META.json

@@ -4,7 +4,7 @@
       "Shlomi Fish <shlomif@cpan.org>"
    ],
    "dynamic_config" : 1,
-   "generated_by" : "Module::Build version 0.4205",
+   "generated_by" : "Module::Build version 0.421",
    "keywords" : [
       "feed",
       "feeds",
@@ -52,7 +52,7 @@
    "provides" : {
       "XML::RSS" : {
          "file" : "lib/XML/RSS.pm",
-         "version" : "1.55"
+         "version" : "1.56"
       },
       "XML::RSS::Private::Output::Base" : {
          "file" : "lib/XML/RSS/Private/Output/Base.pm"
@@ -86,5 +86,5 @@
          "url" : "https://github.com/shlomif/perl-XML-RSS"
       }
    },
-   "version" : "1.55"
+   "version" : "1.56"
 }

META.yml

@@ -8,7 +8,7 @@ build_requires:
 configure_requires:
   Module::Build: '0.36'
 dynamic_config: 1
-generated_by: 'Module::Build version 0.4205, CPAN::Meta::Converter version 2.140640'
+generated_by: 'Module::Build version 0.421, CPAN::Meta::Converter version 2.142060'
 keywords:
   - feed
   - feeds
@@ -29,7 +29,7 @@ name: XML-RSS
 provides:
   XML::RSS:
     file: lib/XML/RSS.pm
-    version: '1.55'
+    version: '1.56'
   XML::RSS::Private::Output::Base:
     file: lib/XML/RSS/Private/Output/Base.pm
   XML::RSS::Private::Output::Roles::ImageDims:
@@ -55,4 +55,4 @@ resources:
   homepage: http://perl-rss.sourceforge.net/
   license: http://dev.perl.org/licenses/
   repository: https://github.com/shlomif/perl-XML-RSS
-version: '1.55'
+version: '1.56'

lib/XML/RSS.pm

@@ -16,7 +16,7 @@ use vars qw($VERSION $AUTOLOAD @ISA $AUTO_ADD);
 
 require 5.008;
 
-$VERSION = '1.55';
+$VERSION = '1.56';
 
 $AUTO_ADD = 0;
 
@@ -1267,6 +1267,9 @@ sub _get_parser {
                 # Detach the parser to avoid reference loops.
                 $self->_parser(undef);
             },
+            ExternEnt => sub {
+                return '';
+            },
         }
     );
 }

t/2.0-parse-2.t

@@ -3,7 +3,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 13;
+use Test::More tests => 14;
 
 use XML::RSS;
 use File::Spec;
@@ -195,3 +195,33 @@ EOF
         "media:desc type is OK.",
     );
 }
+
+{
+    my $rss = XML::RSS->new();
+
+    $rss->parse(<<'EOF');
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+    <title>The Blog</title>
+    <link>http://example.com/</link>
+    <description>A blog about things</description>
+    <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
+    <item>
+        <title>Without&xxe;Entity</title>
+        <link>http://example.com</link>
+        <description>a post</description>
+        <author>author@example.com</author>
+        <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
+    </item>
+</channel>
+</rss>
+EOF
+
+    # TEST
+    is ($rss->{items}->[0]->{title}, "WithoutEntity",
+        "Fix for RT #100660 - XML External Entities Exploit",
+    );
+}

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)