kmx git

Commit	Date	Message
89d9ef3e	2022-03-01T15:14:00	Reset last error in xmlCleanupGlobals Before, we tried to reset the last error in xmlCleanupParser. But if xmlCleanupParser wasn't called from the main thread, this would reset the thread-local error object. xmlCleanupGlobals has access to the error object of the main thread and can reset it reliably.
ebc50097	2022-03-01T13:57:16	Warn when using deprecated functions from Python bindings This requires Python code to be run with -Wd.
b66ce0bb	2022-03-01T12:39:02	Don't include ICU headers in public headers There's no need to make these implementation details public.
50f6feb9	2022-03-01T00:05:54	Remove broken bakefile support
d7c7425c	2022-03-01T00:03:24	Remove broken Visual Studio 2010 support
b094e814	2022-03-01T00:02:59	Remove broken Windows CE support
655cf3f4	2022-02-28T23:39:00	Always fopen files with "rb" We never want translation of newlines when reading files, so it should be safe to always specify "rb". On sane platforms, the "b" flag is simply ignored.
3f8655db	2022-02-28T23:22:50	Remove __DJGPP__ checks Drop broken support for DJGPP.
2489c1d0	2022-02-28T22:42:10	Remove useless __CYGWIN__ checks From what I can tell, some really early Cygwin versions from around 1998-2000 used to erroneously define _WIN32. This was eventually fixed, but these days, the `defined(_WIN32) && !defined(__CYGWIN__)` idiom is unnecessary. Now, we only check for __CYGWIN__ in xmlexports.h when deciding whether to use __declspec.
ea6e8f99	2021-12-20T00:34:58	Fix certain combinations of regex range quantifiers Fix regex transitions that have both min/max and a counter. In this case, we want to save the regex state before incrementing the counter. Fixes #301 and the issue reported here: https://mail.gnome.org/archives/xml/2016-April/msg00017.html
382fb056	2021-12-20T00:31:41	Fix range quantifier on subregex Make sure to add counted exit transitions before other counter transitions. Otherwise, we won't backtrack correctly. Fixes #65.
48ed5a74	2022-02-21T09:35:59	Update `xmlStrlen()` to use POSIX / ISO C `strlen()` This should be faster on a wide range of platforms. Closes #212
5bc5f076	2022-02-24T18:34:39	Fix build with older Python versions ModuleNotFoundError is only available since Python 3.6. Use the superclass ImportError instead. Fixes commit 3cc64a89. Fixes #347.
c41bc10d	2022-02-22T19:57:12	Fix unused variable warnings with disabled features
4fd69f3e	2022-02-22T18:15:53	Fix recovery from invalid HTML start tags Only try to parse a start tag if there's a '<' followed by an ASCII letter. This is more in line with HTML5 and the old behavior in recovery mode. Emit a literal '<' if the following character is invalid. Fixes #101. Fixes #339.
b057239b	2022-02-22T11:52:38	More fixes to --without-valid build Fix runtest and Python bindings when building --without-valid. The Python tests still fail. There doesn't seem to be a mechanism to disable tests depending on feature flags.
d05317ce	2022-02-22T11:51:08	Fix --without-valid build Regressed in commit 652dd12a.
f5509772	2022-02-20T22:06:16	Fix documentation in entities.c
b26d581d	2022-02-20T21:26:50	Add note about optimization flags
6117700e	2022-02-20T20:56:40	Remove special configuration for certain maintainers
004fe9de	2022-02-20T19:02:31	Deprecate IDREF-related functions in valid.h These functions are only needed internally for validation. xmlGetRefs is inherently unsafe because the ref table isn't updated if attributes are removed (unlike the ids table). None of the Ubuntu 20.04 packages depending on libxml2 use any of these functions (except xmlFreeRefTable in libxslt), so it seems perfectly safe to deprecate them. Remove xmlIsRef and xmlRemoveRef from the Python bindings.
61de9297	2022-02-20T20:59:14	Deprecate all functions in DOCBparser.h
274a1b5b	2022-02-20T16:05:53	Remove unneeded code in xmlreader.c Now that no references to ID and IDREF attributes are stored in streaming validation mode, there's no need to try and remove them. Also remove xmlTextReaderFreeIDTable which was identical to xmlFreeIDTable.
d7cb33cf	2022-01-13T17:06:14	Rework validation context flags Use a bitmask instead of magic values to - keep track whether the validation context is part of a parser context - keep track whether xmlValidateDtdFinal was called This allows to add addtional flags later. Note that this deliberately changes the name of a public struct member, assuming that this was always private data never to be used by client code.
aeaf02c0	2022-02-20T20:51:20	Disable docbook support by default The docbook code is broken and has been deprecated for years.
cf4893f7	2022-02-20T19:56:41	Deprecate legacy functions
96889d19	2022-02-20T17:36:28	Disable legacy support by default If you need support for legacy APIs, you have to enable it explicitly: ./configure --with-legacy
9e0ca5a1	2022-02-20T19:29:01	Deprecate all functions in nanoftp.h
a0a0f3be	2022-02-20T17:33:47	Disable FTP support by default In the unlikely case that you really need FTP support, you have to enable it explicitly with: ./configure --with-ftp
a2fe74c0	2022-02-20T18:19:27	Add XML_DEPRECATED macro __attribute__((deprecated)) is available since at least GCC 3.1, so an exact version check is probably unnecessary.
346c3a93	2022-02-20T18:46:42	Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.
ce0871e1	2022-02-20T16:44:41	Only warn on invalid redeclarations of predefined entities Downgrade the error message to a warning since the error was ignored, anyway. Also print the name of redeclared entity. For a proper fix that also shows filename and line number of the invalid redeclaration, we'd have to - pass the parser context to the entity functions somehow, or - make these functions return distinct error codes. Partial fix for #308.
e03590c9	2022-02-08T02:42:30	Don't add IDs containing unexpanded entity references When parsing without entity substitution, IDs or IDREFs containing unexpanded entity reference like "abc&x;def" could be created. We could try to expand these entities like in validation mode, but it seems safer to honor the request not to expand entities. We silently ignore such IDs for now.
a075d256	2022-02-19T19:05:45	Release v2.9.13
04d4124c	2022-02-19T18:50:10	Update news and rebuild documentation
652dd12a	2022-02-08T03:29:24	[CVE-2022-23308] Use-after-free of ID and IDREF attributes If a document is parsed with XML_PARSE_DTDVALID and without XML_PARSE_NOENT, the value of ID attributes has to be normalized after potentially expanding entities in xmlRemoveID. Otherwise, later calls to xmlGetID can return a pointer to previously freed memory. ID attributes which are empty or contain only whitespace after entity expansion are affected in a similar way. This is fixed by not storing such attributes in the ID table. The test to detect streaming mode when validating against a DTD was broken. In connection with the defects above, this could result in a use-after-free when using the xmlReader interface with validation. Fix detection of streaming mode to avoid similar issues. (This changes the expected result of a test case. But as far as I can tell, using the XML reader with XIncludes referencing the root document never worked properly, anyway.) All of these issues can result in denial of service. Using xmlReader with validation could result in disclosure of memory via the error channel, typically stderr. The security impact of xmlGetID returning a pointer to freed memory depends on the application. The typical use case of calling xmlGetID on an unmodified document is not affected.
d19bab68	2022-02-19T19:26:10	Fix fuzz/.gitignore after fixing VPATH build
f2ad86fa	2022-02-17T19:05:26	Remove SVN keyword anchors
b041d829	2022-02-16T19:55:30	Remove xmlwin32version.h This file was undocumented and never used anywhere. Maybe users were supposed to rename this file to xmlversion.h manually. These days, both CMake and win32/configure.js generate xmlversion.h from xmlversion.h.in, just like the Autotools build.
176115c6	2022-02-14T22:49:04	Fix source URL in libxml.spec.in
86266487	2022-02-14T18:06:38	Fix fuzzer test with VPATH build Also fixes make distcheck.
85a35ba0	2022-02-14T17:44:29	Support custom prefix when installing Python module Also fixes make distcheck.
46084436	2022-02-14T03:28:51	Remove Makefile.win A Makefile for Visual C++ 5.0, last changed 23 years ago.
a20a6022	2022-02-14T03:40:59	Fix distribution after README change
411f9803	2022-02-14T01:30:37	Rework README - Merge INSTALL.libxml2, CONTRIBUTING and AUTHORS into README - Convert to Markdown - Redact and update content - Update links
e16d729d	2022-02-14T01:31:47	Remove README.cvs-commits
8eb06937	2022-02-14T01:01:23	Remove outdated ChangeLog code The ChangeLog is from pre-Git times.
7fe9addc	2022-02-13T23:29:51	Remove CVS and SVN-related code
10891111	2022-02-13T22:52:53	Redirect links to xmlsoft.org Documentation and releases are now available on gitlab.gnome.org.
4f2693a1	2022-02-13T22:57:34	Remove README.docs This was just a partial copy of the main README.
4a0c0e63	2022-02-13T22:52:14	Remove MAINTAINERS Maintainers are listed in libxml2.doap.
b0e6eb97	2022-02-13T22:51:26	Remove xmltutorial.pdf We already have an HTML version.
daf2d9c3	2022-02-08T04:30:29	Fix regression in RelaxNG pattern matching XML_SCHEMAS_QNAME is not a string-derived type. Other types up to XML_SCHEMAS_ENTITIES are. Should fix #224.
d54564ea	2022-02-12T21:38:19	Remove .travis.yml
0a6a79b2	2022-02-12T21:36:27	Try again to only build GitLab Pages on main repo
a3aca203	2022-02-12T21:33:53	Try again to only build GitLab Pages on main repo
15111c82	2022-02-12T21:25:25	Only build GitLab Pages on main repo
2017cae6	2022-02-12T20:02:51	Upload documentation to GitLab pages
be889b65	2022-01-26T16:35:18	Make xmlFuzzReadString return a zero size in error case Avoids use of uninitialized memory.
57b3abd5	2022-02-07T22:09:25	Fix xmlSetTreeDoc with entity references The children member of entity reference nodes points to the entity declaration and must never be followed when traversing a tree. In the worst case, this could lead to an infinite loop. It's somewhat unclear how moving entity references to other documents should work exactly. For now we simply set the children pointer to NULL to avoid a reference to the original document. Fixes #42.
8be44aeb	2022-02-07T20:54:33	Fix "xmllint -" Short-lived regression from commit d12be00d.
9edc20c1	2022-02-07T20:38:30	Fix double counting of CRLF in comments Fixes #151.
b14649e3	2022-02-07T19:54:20	Remove old ChangeLog This was probably generated from SVN until 2009. Changes are now tracked in NEWS. Fixes #261.
fcd4c5b8	2022-02-07T19:22:45	Document how to escape XML_CATALOG_FILES Fixes #309.
ea53fc18	2022-02-07T18:24:03	Properly handle nested documents in xmlFreeNode Client code should never add document nodes as children of other nodes, but even our own XPointer code has a bug that can produce such trees. Make sure to really free nested documents. Also see commits 0815302d and 0762c9b6. Should fix #269.
96535657	2022-02-07T15:26:33	Make sure to grow input buffer in xmlParseMisc Otherwise, large amount of whitespace could lead to documents not being parsed correctly. Fixes #299.
9b8ef34d	2022-02-04T14:42:16	Fix unused function warning in testapi.c
d12be00d	2022-02-04T14:13:59	Don't ignore xmllint options after "-" There's no reason to ignore options after "-". This was probably confused with the "--" mechanism which xmllint doesn't implement. Fixes #290.
5408c10c	2022-02-04T14:00:09	Don't normalize namespace URIs in XPointer xmlns() scheme Namespace URIs should be compared without escaping or unescaping: https://www.w3.org/TR/REC-xml-names/#NSNameComparison Fixes #289.
1c7d91ab	2022-02-03T23:31:19	Fix handling of XSD with empty namespace An empty namespace means no default namespace. Fixes #303.
f480f750	2022-02-03T14:43:17	Update NewsML DTD in test suite Switch to version 1.2 which has a clearer license. Fixes #291.
247cfa27	2022-02-01T16:21:10	Fix parsing of xmllint --maxmem option Fixes #195.
96dc7f4a	2022-02-01T16:15:51	Also register HTML document nodes Fixes #196.
18d1f9d4	2022-02-01T15:56:21	Add more checks for malloc failures in xmllint.c Also fix a few of the existing checks. Fixes #197. Fixes #198.
eab86522	2022-01-31T14:45:09	Make xmllint return an error if arguments are missing Before, xmllint would only return an error code if the argument list was completely empty. Fixes #285.
6010a536	2022-01-28T16:27:12	Avoid potential integer overflow in xmlstring.c For historical reasons, the string API operates with int indices which can overflow, especially on 64-bit systems. libxml2 always made the tacit assumption that strings will be never larger than INT_MAX bytes. It should be considered a bug if any part of the code can produce larger strings, whether they are externally visible or not. Likewise, API users are expected not to supply strings larger than INT_MAX bytes. This requirement isn't documented. But even if it was, we must handle larger strings passed in by accident without causing memory errors. - xmlStrndup, xmlCharStrndup, xmlUTF8Strndup Avoid integer overflow if len == INT_MAX. - xmlStrlen, xmlUTF8Strsize, xmlUTF8Strloc Avoid integer overflow by using size_t for index. If an input string larger than INT_MAX bytes is detected, these functions now return 0 instead of a wrong and possibly negative value. - xmlCheckUTF8 Avoid integer overflow by limiting index range. - xmlStrncat, xmlStrncatNew, xmlEscapeFormatString Avoid integer overflow. Return NULL instead of producing strings larger than INT_MAX bytes.
8f5ccada	2021-07-07T19:24:36	xmlAddChild() and xmlAddNextSibling() may not attach their second argument Use the return value of xmlAddChild() and xmlAddNextSibling() instead of the second argument directly. Found by OSS-Fuzz. Fixes #316
53983804	2022-01-25T03:08:22	Run CI tests with UBSan implicit-conversion checks This enables the remaining checks from the "integer" group: - implicit-unsigned-integer-truncation - implicit-signed-integer-truncation - implicit-integer-sign-change These checks can find all kinds of bugs and only require explicit casts if integer truncation or sign change is really intended.
a647e430	2022-01-25T02:59:40	Fix casting of line numbers in SAX2.c The line member is an unsigned short. Avoids integer conversion warnings with UBSan. Also use USHRT_MAX instead of hard-coded constant.
67c2e78b	2022-01-25T02:44:37	Fix integer conversion warnings in hash.c Use unsigned long for temporary variable to avoid integer conversion warnings with UBSan. Note that this does change the computation of hash values for input bytes larger than 0x7F. Before, these bytes were first converted to a (typically) signed char with a negative value, then to a large unsigned long near ULONG_MAX. I doubt that this was intentional. Input bytes larger than 0x7F are now converted to unsigned long unchanged.
21217dd9	2022-01-25T02:34:40	Add explicit casts in runtest.c Avoids integer conversion warnings with UBSan.
7abc6e6a	2022-01-25T02:27:53	Fix integer conversion warning in xmlIconvWrapper Use size_t for return value of iconv(3) to avoid an UBSan integer conversion warning.
f4a74bf0	2022-01-25T02:21:05	Add suffix to unsigned constant in xmlmemory.c Avoids an integer conversion warning with UBSan.
5948abfe	2022-01-25T01:59:03	Add explicit casts in testchar.c Avoids integer conversion warnings with UBSan.
6f95273e	2022-01-25T01:46:59	Fix integer conversion warnings in xmlstring.c Use an int to avoid an integer conversion warning with UBSan when left-shifting a char.
0596d67d	2022-01-25T01:39:41	Add explicit cast in xmlURIUnescapeString Avoids an integer conversion warning with UBSan.
f872aa18	2022-01-25T01:16:00	Fix handling of ctxt->base in xmlXPtrEvalXPtrPart Also set ctxt->base when updating ctxt->cur. Always restore ctxt->cur on error. Avoids integer truncation and wrong column numbers in xmlXPathErr. Stop hiding modification of ctxt members behind a macro. Found with UBSan.
97fe1279	2022-01-20T16:08:35	Remove wrong tarname from AC_INIT Remove the "tarname" added in commit 7c0253aa. Having a tarname including a version number would result in tarballs named libxml2-2.9.12-2.9.12.tar.gz. This change also means that documentation will now be installed in $(datadir)/doc/libxml2 instead of $(datadir)/doc/libxml2-$(version). Having a version number in the documentation directory doesn't seem helpful. The new location also matches the default autotools $(docdir).
00e618eb	2022-01-17T21:39:27	Remove old devhelp format See #295.
d85245f9	2022-01-16T21:39:04	Fix regression with PEs in external DTD Fix a regression introduced with commit a28f7d87. In some cases, parameter entity references in external DTDs wouldn't be expanded. Fixes #306.
9f4cb84c	2022-01-16T18:39:51	Fix xmllint --maxmem xmlMemSetup must be called before initializing the parser, otherwise some data structures will be allocated with system malloc instead of our custom allocator. This throws off built-in memory debugging and sanitizers.
e4c91f74	2021-11-03T11:41:11	Fix Null-deref-in-xmlSchemaGetComponentTargetNs
9277abe2	2022-01-16T15:50:56	Fix libxml2.doap Add description. Change category to "infrastructure". Apparently, "platform" isn't allowed anymore. Add programming language.
87a99270	2021-08-26T11:50:41	Added regression tests for xmlReadFd() and htmlReadFd()
fe6890e2	2021-07-27T13:20:20	Fix htmlReadFd, which was using a mix of xml and html context functions
67953a9f	2022-01-16T15:30:02	Fix memory leak in xmlXPathCompNodeTest Found by Coverity.
3cc64a88	2021-07-22T15:46:38	setup.py.in: Try to import setuptools This way, we can build binary wheels easily if needed
dbfe6151	2021-07-22T15:36:15	Python distutils: Make DLL packaging more flexible This updates setup.py.in to pack the DLLs according to the options we specified to configure.js or CMake (or, even configure, although autotools builds are not likely to build the libxml2 Python module via distutils). At this point, we can pack only the DLLs that libxml2 really depends on, and pack the libxslt DLLs only if we really built the libxslt Python modules. Also make the DLL filenames more easily configured
1b7d4e2b	2021-07-22T14:46:48	tstmem.py: Try importing from libxmlmods.libxml2mod if needed Distutils builds place libxml2mod.pyd under the libxmlmods subdir, so try this directory if 'import libxml2mod' failed.
6e169c14	2021-03-30T16:11:13	python: Port python 3.x module to Windows On Windows, we don't have fcntl() which helps us to find out how a file was opened, so we need to resort to the Windows API NtQueryInformationFile() in ntdll.dll to help us, and compare the file access modes as appropriate to deduce the modes we want to pass into fdopen(). As all official Python 3.x releases are built against newer Windows CRTs that toughen checks on the validity of the file descriptor when we convert the fd to a native Windows File Handle using _get_osfhandle(), we need to define an empty handler so that the program does not abort if the fd that was passed in was invalid; instead, we just return NULL if _get_osfhandle() could not return us a valid Windows File Handle.

89d9ef3e

2022-03-01T15:14:00

Reset last error in xmlCleanupGlobals Before, we tried to reset the last error in xmlCleanupParser. But if xmlCleanupParser wasn't called from the main thread, this would reset the thread-local error object. xmlCleanupGlobals has access to the error object of the main thread and can reset it reliably.

ebc50097

2022-03-01T13:57:16

Warn when using deprecated functions from Python bindings This requires Python code to be run with -Wd.

b66ce0bb

2022-03-01T12:39:02

Don't include ICU headers in public headers There's no need to make these implementation details public.

50f6feb9

2022-03-01T00:05:54

Remove broken bakefile support

d7c7425c

2022-03-01T00:03:24

Remove broken Visual Studio 2010 support

b094e814

2022-03-01T00:02:59

Remove broken Windows CE support

655cf3f4

2022-02-28T23:39:00

Always fopen files with "rb" We never want translation of newlines when reading files, so it should be safe to always specify "rb". On sane platforms, the "b" flag is simply ignored.

3f8655db

2022-02-28T23:22:50

Remove __DJGPP__ checks Drop broken support for DJGPP.

2489c1d0

2022-02-28T22:42:10

Remove useless __CYGWIN__ checks From what I can tell, some really early Cygwin versions from around 1998-2000 used to erroneously define _WIN32. This was eventually fixed, but these days, the `defined(_WIN32) && !defined(__CYGWIN__)` idiom is unnecessary. Now, we only check for __CYGWIN__ in xmlexports.h when deciding whether to use __declspec.

ea6e8f99

2021-12-20T00:34:58

Fix certain combinations of regex range quantifiers Fix regex transitions that have both min/max and a counter. In this case, we want to save the regex state before incrementing the counter. Fixes #301 and the issue reported here: https://mail.gnome.org/archives/xml/2016-April/msg00017.html

382fb056

2021-12-20T00:31:41

Fix range quantifier on subregex Make sure to add counted exit transitions before other counter transitions. Otherwise, we won't backtrack correctly. Fixes #65.

48ed5a74

2022-02-21T09:35:59

Update `xmlStrlen()` to use POSIX / ISO C `strlen()` This should be faster on a wide range of platforms. Closes #212

5bc5f076

2022-02-24T18:34:39

Fix build with older Python versions ModuleNotFoundError is only available since Python 3.6. Use the superclass ImportError instead. Fixes commit 3cc64a89. Fixes #347.

c41bc10d

2022-02-22T19:57:12

Fix unused variable warnings with disabled features

4fd69f3e

2022-02-22T18:15:53

Fix recovery from invalid HTML start tags Only try to parse a start tag if there's a '<' followed by an ASCII letter. This is more in line with HTML5 and the old behavior in recovery mode. Emit a literal '<' if the following character is invalid. Fixes #101. Fixes #339.

b057239b

2022-02-22T11:52:38

More fixes to --without-valid build Fix runtest and Python bindings when building --without-valid. The Python tests still fail. There doesn't seem to be a mechanism to disable tests depending on feature flags.

d05317ce

2022-02-22T11:51:08

Fix --without-valid build Regressed in commit 652dd12a.

f5509772

2022-02-20T22:06:16

Fix documentation in entities.c

b26d581d

2022-02-20T21:26:50

Add note about optimization flags

6117700e

2022-02-20T20:56:40

Remove special configuration for certain maintainers

004fe9de

2022-02-20T19:02:31

Deprecate IDREF-related functions in valid.h These functions are only needed internally for validation. xmlGetRefs is inherently unsafe because the ref table isn't updated if attributes are removed (unlike the ids table). None of the Ubuntu 20.04 packages depending on libxml2 use any of these functions (except xmlFreeRefTable in libxslt), so it seems perfectly safe to deprecate them. Remove xmlIsRef and xmlRemoveRef from the Python bindings.

61de9297

2022-02-20T20:59:14

Deprecate all functions in DOCBparser.h

274a1b5b

2022-02-20T16:05:53

Remove unneeded code in xmlreader.c Now that no references to ID and IDREF attributes are stored in streaming validation mode, there's no need to try and remove them. Also remove xmlTextReaderFreeIDTable which was identical to xmlFreeIDTable.

d7cb33cf

2022-01-13T17:06:14

Rework validation context flags Use a bitmask instead of magic values to - keep track whether the validation context is part of a parser context - keep track whether xmlValidateDtdFinal was called This allows to add addtional flags later. Note that this deliberately changes the name of a public struct member, assuming that this was always private data never to be used by client code.

aeaf02c0

2022-02-20T20:51:20

Disable docbook support by default The docbook code is broken and has been deprecated for years.

cf4893f7

2022-02-20T19:56:41

Deprecate legacy functions

96889d19

2022-02-20T17:36:28

Disable legacy support by default If you need support for legacy APIs, you have to enable it explicitly: ./configure --with-legacy

9e0ca5a1

2022-02-20T19:29:01

Deprecate all functions in nanoftp.h

a0a0f3be

2022-02-20T17:33:47

Disable FTP support by default In the unlikely case that you really need FTP support, you have to enable it explicitly with: ./configure --with-ftp

a2fe74c0

2022-02-20T18:19:27

Add XML_DEPRECATED macro __attribute__((deprecated)) is available since at least GCC 3.1, so an exact version check is probably unnecessary.

346c3a93

2022-02-20T18:46:42

Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.

ce0871e1

2022-02-20T16:44:41

Only warn on invalid redeclarations of predefined entities Downgrade the error message to a warning since the error was ignored, anyway. Also print the name of redeclared entity. For a proper fix that also shows filename and line number of the invalid redeclaration, we'd have to - pass the parser context to the entity functions somehow, or - make these functions return distinct error codes. Partial fix for #308.

e03590c9

2022-02-08T02:42:30

Don't add IDs containing unexpanded entity references When parsing without entity substitution, IDs or IDREFs containing unexpanded entity reference like "abc&x;def" could be created. We could try to expand these entities like in validation mode, but it seems safer to honor the request not to expand entities. We silently ignore such IDs for now.

a075d256

2022-02-19T19:05:45

Release v2.9.13

04d4124c

2022-02-19T18:50:10

Update news and rebuild documentation

652dd12a

2022-02-08T03:29:24

[CVE-2022-23308] Use-after-free of ID and IDREF attributes If a document is parsed with XML_PARSE_DTDVALID and without XML_PARSE_NOENT, the value of ID attributes has to be normalized after potentially expanding entities in xmlRemoveID. Otherwise, later calls to xmlGetID can return a pointer to previously freed memory. ID attributes which are empty or contain only whitespace after entity expansion are affected in a similar way. This is fixed by not storing such attributes in the ID table. The test to detect streaming mode when validating against a DTD was broken. In connection with the defects above, this could result in a use-after-free when using the xmlReader interface with validation. Fix detection of streaming mode to avoid similar issues. (This changes the expected result of a test case. But as far as I can tell, using the XML reader with XIncludes referencing the root document never worked properly, anyway.) All of these issues can result in denial of service. Using xmlReader with validation could result in disclosure of memory via the error channel, typically stderr. The security impact of xmlGetID returning a pointer to freed memory depends on the application. The typical use case of calling xmlGetID on an unmodified document is not affected.

d19bab68

2022-02-19T19:26:10

Fix fuzz/.gitignore after fixing VPATH build

f2ad86fa

2022-02-17T19:05:26

Remove SVN keyword anchors

b041d829

2022-02-16T19:55:30

Remove xmlwin32version.h This file was undocumented and never used anywhere. Maybe users were supposed to rename this file to xmlversion.h manually. These days, both CMake and win32/configure.js generate xmlversion.h from xmlversion.h.in, just like the Autotools build.

176115c6

2022-02-14T22:49:04

Fix source URL in libxml.spec.in

86266487

2022-02-14T18:06:38

Fix fuzzer test with VPATH build Also fixes make distcheck.

85a35ba0

2022-02-14T17:44:29

Support custom prefix when installing Python module Also fixes make distcheck.

46084436

2022-02-14T03:28:51

Remove Makefile.win A Makefile for Visual C++ 5.0, last changed 23 years ago.

a20a6022

2022-02-14T03:40:59

Fix distribution after README change

411f9803

2022-02-14T01:30:37

Rework README - Merge INSTALL.libxml2, CONTRIBUTING and AUTHORS into README - Convert to Markdown - Redact and update content - Update links

e16d729d

2022-02-14T01:31:47

Remove README.cvs-commits

8eb06937

2022-02-14T01:01:23

Remove outdated ChangeLog code The ChangeLog is from pre-Git times.

7fe9addc

2022-02-13T23:29:51

Remove CVS and SVN-related code

10891111

2022-02-13T22:52:53

Redirect links to xmlsoft.org Documentation and releases are now available on gitlab.gnome.org.

4f2693a1

2022-02-13T22:57:34

Remove README.docs This was just a partial copy of the main README.

4a0c0e63

2022-02-13T22:52:14

Remove MAINTAINERS Maintainers are listed in libxml2.doap.

b0e6eb97

2022-02-13T22:51:26

Remove xmltutorial.pdf We already have an HTML version.

daf2d9c3

2022-02-08T04:30:29

Fix regression in RelaxNG pattern matching XML_SCHEMAS_QNAME is not a string-derived type. Other types up to XML_SCHEMAS_ENTITIES are. Should fix #224.

d54564ea

2022-02-12T21:38:19

Remove .travis.yml

0a6a79b2

2022-02-12T21:36:27

Try again to only build GitLab Pages on main repo

a3aca203

2022-02-12T21:33:53

Try again to only build GitLab Pages on main repo

15111c82

2022-02-12T21:25:25

Only build GitLab Pages on main repo

2017cae6

2022-02-12T20:02:51

Upload documentation to GitLab pages

be889b65

2022-01-26T16:35:18

Make xmlFuzzReadString return a zero size in error case Avoids use of uninitialized memory.

57b3abd5

2022-02-07T22:09:25

Fix xmlSetTreeDoc with entity references The children member of entity reference nodes points to the entity declaration and must never be followed when traversing a tree. In the worst case, this could lead to an infinite loop. It's somewhat unclear how moving entity references to other documents should work exactly. For now we simply set the children pointer to NULL to avoid a reference to the original document. Fixes #42.

8be44aeb

2022-02-07T20:54:33

Fix "xmllint -" Short-lived regression from commit d12be00d.

9edc20c1

2022-02-07T20:38:30

Fix double counting of CRLF in comments Fixes #151.

b14649e3

2022-02-07T19:54:20

Remove old ChangeLog This was probably generated from SVN until 2009. Changes are now tracked in NEWS. Fixes #261.

fcd4c5b8

2022-02-07T19:22:45

Document how to escape XML_CATALOG_FILES Fixes #309.

ea53fc18

2022-02-07T18:24:03

Properly handle nested documents in xmlFreeNode Client code should never add document nodes as children of other nodes, but even our own XPointer code has a bug that can produce such trees. Make sure to really free nested documents. Also see commits 0815302d and 0762c9b6. Should fix #269.

96535657

2022-02-07T15:26:33

Make sure to grow input buffer in xmlParseMisc Otherwise, large amount of whitespace could lead to documents not being parsed correctly. Fixes #299.

9b8ef34d

2022-02-04T14:42:16

Fix unused function warning in testapi.c

d12be00d

2022-02-04T14:13:59

Don't ignore xmllint options after "-" There's no reason to ignore options after "-". This was probably confused with the "--" mechanism which xmllint doesn't implement. Fixes #290.

5408c10c

2022-02-04T14:00:09

Don't normalize namespace URIs in XPointer xmlns() scheme Namespace URIs should be compared without escaping or unescaping: https://www.w3.org/TR/REC-xml-names/#NSNameComparison Fixes #289.

1c7d91ab

2022-02-03T23:31:19

Fix handling of XSD with empty namespace An empty namespace means no default namespace. Fixes #303.

f480f750

2022-02-03T14:43:17

Update NewsML DTD in test suite Switch to version 1.2 which has a clearer license. Fixes #291.

247cfa27

2022-02-01T16:21:10

Fix parsing of xmllint --maxmem option Fixes #195.

96dc7f4a

2022-02-01T16:15:51

Also register HTML document nodes Fixes #196.

18d1f9d4

2022-02-01T15:56:21

Add more checks for malloc failures in xmllint.c Also fix a few of the existing checks. Fixes #197. Fixes #198.

eab86522

2022-01-31T14:45:09

Make xmllint return an error if arguments are missing Before, xmllint would only return an error code if the argument list was completely empty. Fixes #285.

6010a536

2022-01-28T16:27:12

Avoid potential integer overflow in xmlstring.c For historical reasons, the string API operates with int indices which can overflow, especially on 64-bit systems. libxml2 always made the tacit assumption that strings will be never larger than INT_MAX bytes. It should be considered a bug if any part of the code can produce larger strings, whether they are externally visible or not. Likewise, API users are expected not to supply strings larger than INT_MAX bytes. This requirement isn't documented. But even if it was, we must handle larger strings passed in by accident without causing memory errors. - xmlStrndup, xmlCharStrndup, xmlUTF8Strndup Avoid integer overflow if len == INT_MAX. - xmlStrlen, xmlUTF8Strsize, xmlUTF8Strloc Avoid integer overflow by using size_t for index. If an input string larger than INT_MAX bytes is detected, these functions now return 0 instead of a wrong and possibly negative value. - xmlCheckUTF8 Avoid integer overflow by limiting index range. - xmlStrncat, xmlStrncatNew, xmlEscapeFormatString Avoid integer overflow. Return NULL instead of producing strings larger than INT_MAX bytes.

8f5ccada

2021-07-07T19:24:36

xmlAddChild() and xmlAddNextSibling() may not attach their second argument Use the return value of xmlAddChild() and xmlAddNextSibling() instead of the second argument directly. Found by OSS-Fuzz. Fixes #316

53983804

2022-01-25T03:08:22

Run CI tests with UBSan implicit-conversion checks This enables the remaining checks from the "integer" group: - implicit-unsigned-integer-truncation - implicit-signed-integer-truncation - implicit-integer-sign-change These checks can find all kinds of bugs and only require explicit casts if integer truncation or sign change is really intended.

a647e430

2022-01-25T02:59:40

Fix casting of line numbers in SAX2.c The line member is an unsigned short. Avoids integer conversion warnings with UBSan. Also use USHRT_MAX instead of hard-coded constant.

67c2e78b

2022-01-25T02:44:37

Fix integer conversion warnings in hash.c Use unsigned long for temporary variable to avoid integer conversion warnings with UBSan. Note that this does change the computation of hash values for input bytes larger than 0x7F. Before, these bytes were first converted to a (typically) signed char with a negative value, then to a large unsigned long near ULONG_MAX. I doubt that this was intentional. Input bytes larger than 0x7F are now converted to unsigned long unchanged.

21217dd9

2022-01-25T02:34:40

Add explicit casts in runtest.c Avoids integer conversion warnings with UBSan.

7abc6e6a

2022-01-25T02:27:53

Fix integer conversion warning in xmlIconvWrapper Use size_t for return value of iconv(3) to avoid an UBSan integer conversion warning.

f4a74bf0

2022-01-25T02:21:05

Add suffix to unsigned constant in xmlmemory.c Avoids an integer conversion warning with UBSan.

5948abfe

2022-01-25T01:59:03

Add explicit casts in testchar.c Avoids integer conversion warnings with UBSan.

6f95273e

2022-01-25T01:46:59

Fix integer conversion warnings in xmlstring.c Use an int to avoid an integer conversion warning with UBSan when left-shifting a char.

0596d67d

2022-01-25T01:39:41

Add explicit cast in xmlURIUnescapeString Avoids an integer conversion warning with UBSan.

f872aa18

2022-01-25T01:16:00

Fix handling of ctxt->base in xmlXPtrEvalXPtrPart Also set ctxt->base when updating ctxt->cur. Always restore ctxt->cur on error. Avoids integer truncation and wrong column numbers in xmlXPathErr. Stop hiding modification of ctxt members behind a macro. Found with UBSan.

97fe1279

2022-01-20T16:08:35

Remove wrong tarname from AC_INIT Remove the "tarname" added in commit 7c0253aa. Having a tarname including a version number would result in tarballs named libxml2-2.9.12-2.9.12.tar.gz. This change also means that documentation will now be installed in $(datadir)/doc/libxml2 instead of $(datadir)/doc/libxml2-$(version). Having a version number in the documentation directory doesn't seem helpful. The new location also matches the default autotools $(docdir).

00e618eb

2022-01-17T21:39:27

Remove old devhelp format See #295.

d85245f9

2022-01-16T21:39:04

Fix regression with PEs in external DTD Fix a regression introduced with commit a28f7d87. In some cases, parameter entity references in external DTDs wouldn't be expanded. Fixes #306.

9f4cb84c

2022-01-16T18:39:51

Fix xmllint --maxmem xmlMemSetup must be called before initializing the parser, otherwise some data structures will be allocated with system malloc instead of our custom allocator. This throws off built-in memory debugging and sanitizers.

e4c91f74

2021-11-03T11:41:11

Fix Null-deref-in-xmlSchemaGetComponentTargetNs

9277abe2

2022-01-16T15:50:56

Fix libxml2.doap Add description. Change category to "infrastructure". Apparently, "platform" isn't allowed anymore. Add programming language.

87a99270

2021-08-26T11:50:41

Added regression tests for xmlReadFd() and htmlReadFd()

fe6890e2

2021-07-27T13:20:20

Fix htmlReadFd, which was using a mix of xml and html context functions

67953a9f

2022-01-16T15:30:02

Fix memory leak in xmlXPathCompNodeTest Found by Coverity.

3cc64a88

2021-07-22T15:46:38

setup.py.in: Try to import setuptools This way, we can build binary wheels easily if needed

dbfe6151

2021-07-22T15:36:15

Python distutils: Make DLL packaging more flexible This updates setup.py.in to pack the DLLs according to the options we specified to configure.js or CMake (or, even configure, although autotools builds are not likely to build the libxml2 Python module via distutils). At this point, we can pack only the DLLs that libxml2 really depends on, and pack the libxslt DLLs only if we really built the libxslt Python modules. Also make the DLL filenames more easily configured

1b7d4e2b

2021-07-22T14:46:48

tstmem.py: Try importing from libxmlmods.libxml2mod if needed Distutils builds place libxml2mod.pyd under the libxmlmods subdir, so try this directory if 'import libxml2mod' failed.

6e169c14

2021-03-30T16:11:13

python: Port python 3.x module to Windows On Windows, we don't have fcntl() which helps us to find out how a file was opened, so we need to resort to the Windows API NtQueryInformationFile() in ntdll.dll to help us, and compare the file access modes as appropriate to deduce the modes we want to pass into fdopen(). As all official Python 3.x releases are built against newer Windows CRTs that toughen checks on the validity of the file descriptor when we convert the fd to a native Windows File Handle using _get_osfhandle(), we need to define an empty handler so that the program does not abort if the fd that was passed in was invalid; instead, we just return NULL if _get_osfhandle() could not return us a valid Windows File Handle.

kc3-lang/libxml2

Log