kmx git

Commit	Date	Message
9b5cce7a	2023-09-21T00:44:50	include: Remove more unnecessary includes
209516ac	2023-09-20T15:49:03	tests: Don't use deprecated symbols
5aff27ae	2023-08-08T15:21:25	parser: Optimize xmlLoadEntityContent Load entity content via xmlParserInputBufferGrow, avoiding a copy. This also fixes an entity size accounting error.
886bf4e6	2023-04-30T15:35:47	Stop calling xmlMemoryDump This was used to check for memory leaks but could potentially create a .memdump file. These days, there are better ways to check for memory leaks.
3f69fc80	2023-03-08T13:58:49	parser: Tighten expansion limits - Lower the amount of expansion which is always allowed from 10MB to 1MB. - Lower the maximum amplification factor from 10 to 5. - Lower the "fixed cost" from 50 to 20.
cfc036bd	2022-12-21T19:27:45	testrecurse: Test parameter entity accounting
106c4cdd	2022-12-21T17:05:54	testrecurse: Support multiple huge docs
079da5b2	2022-12-21T03:26:31	testrecurse: Add external entities to huge test
01bcb23d	2022-12-21T01:01:36	testrecurse: Add test cases for external entities Add test cases for external general and parameter entities.
69aeff53	2022-12-20T22:33:28	testrecurse: Also test without entity substitution
4c7cb8f4	2022-12-20T22:42:24	testrecurse: Also test SAX parser
583cd2f6	2022-12-21T05:13:23	testrecurse: Start to test entity expansion stats
463bbeec	2022-12-19T18:39:45	entities: Rework entity amplification checks This commit implements robust detection of entity amplification attacks, better known as the "billion laughs" attack. We now limit the size of the document after substitution of entities to 10 times the size before expansion. This guarantees linear behavior by definition. There already was a similar check before, but the accounting of "sizeentities" (size of external entities) and "sizeentcopy" (size of all copies created by entity references) wasn't accurate. We also need saturation arithmetic since we're historically limited to "unsigned long" which is 32-bit on many platforms. A maximum of 10 MB of substitutions is always allowed. This should make use cases like DITA work which have caused problems in the past. The old checks based on the number of entities were removed. This is accounted for by adding a fixed cost to each entity reference. Entity amplification checks are now enabled even if XML_PARSE_HUGE is set. This option is mainly used to allow larger text nodes. Most users were unaware that it also disabled entity expansion checks. Some of the limits might be adjusted later. If this change turns out to affect legitimate use cases, we can add a separate parser option to disable the checks. Fixes #294. Fixes #345.
dd3569ea	2022-12-08T02:43:17	Remove XMLDECL macro from .c files
34a5a4a5	2022-11-22T15:40:51	tests: Remove unneeded #includes
5bffa33a	2022-09-02T05:03:03	Stop including sys/types.h
2489c1d0	2022-02-28T22:42:10	Remove useless __CYGWIN__ checks From what I can tell, some really early Cygwin versions from around 1998-2000 used to erroneously define _WIN32. This was eventually fixed, but these days, the `defined(_WIN32) && !defined(__CYGWIN__)` idiom is unnecessary. Now, we only check for __CYGWIN__ in xmlexports.h when deciding whether to use __declspec.
2a350ee9	2019-09-30T17:04:54	Large batch of typo fixes Closes #109.
8919885f	2019-01-01T16:30:38	Fix -Wformat-truncation warnings (GCC 8)
154824ee	2017-10-21T14:07:38	Fix unused variable warnings in testrecurse
c3b1d09b	2012-08-13T16:50:48	clean redefinition of {v}snprintf in C-source as those from *config.h are preferable (e.g. win32config.h)
1f0453f7	2012-08-13T16:56:11	minimize use of HAVE_CONFIG_H as build process for supported platforms provide "config.h" header file
b60e612e	2012-07-18T16:21:17	Small cleanup of unused variables in test
22030ef8	2012-05-23T15:52:45	Restore code for Windows compilation Try to keep as close to rc1 but still allow the change from Roumen for mingw
978ff224	2012-05-20T16:07:54	use mingw C99 compatible functions {v}snprintf instead those from MSVC runtime
0161e638	2008-08-28T15:36:32	completely different fix for the recursion detection based on entity * parser.c include/libxml/parser.h: completely different fix for the recursion detection based on entity density, big cleanups in the entity parsing code too * result/.sax: the parser should not ask for used defined versions of the predefined entities * testrecurse.c: automatic test for entity recursion checks * Makefile.am: added testrecurse * test/recurse/lol* test/recurse/good*: a first set of tests for the recursion Daniel svn path=/trunk/; revision=3783

9b5cce7a

2023-09-21T00:44:50

include: Remove more unnecessary includes

209516ac

2023-09-20T15:49:03

tests: Don't use deprecated symbols

5aff27ae

2023-08-08T15:21:25

parser: Optimize xmlLoadEntityContent Load entity content via xmlParserInputBufferGrow, avoiding a copy. This also fixes an entity size accounting error.

886bf4e6

2023-04-30T15:35:47

Stop calling xmlMemoryDump This was used to check for memory leaks but could potentially create a .memdump file. These days, there are better ways to check for memory leaks.

3f69fc80

2023-03-08T13:58:49

parser: Tighten expansion limits - Lower the amount of expansion which is always allowed from 10MB to 1MB. - Lower the maximum amplification factor from 10 to 5. - Lower the "fixed cost" from 50 to 20.

cfc036bd

2022-12-21T19:27:45

testrecurse: Test parameter entity accounting

106c4cdd

2022-12-21T17:05:54

testrecurse: Support multiple huge docs

079da5b2

2022-12-21T03:26:31

testrecurse: Add external entities to huge test

01bcb23d

2022-12-21T01:01:36

testrecurse: Add test cases for external entities Add test cases for external general and parameter entities.

69aeff53

2022-12-20T22:33:28

testrecurse: Also test without entity substitution

4c7cb8f4

2022-12-20T22:42:24

testrecurse: Also test SAX parser

583cd2f6

2022-12-21T05:13:23

testrecurse: Start to test entity expansion stats

463bbeec

2022-12-19T18:39:45

entities: Rework entity amplification checks This commit implements robust detection of entity amplification attacks, better known as the "billion laughs" attack. We now limit the size of the document after substitution of entities to 10 times the size before expansion. This guarantees linear behavior by definition. There already was a similar check before, but the accounting of "sizeentities" (size of external entities) and "sizeentcopy" (size of all copies created by entity references) wasn't accurate. We also need saturation arithmetic since we're historically limited to "unsigned long" which is 32-bit on many platforms. A maximum of 10 MB of substitutions is always allowed. This should make use cases like DITA work which have caused problems in the past. The old checks based on the number of entities were removed. This is accounted for by adding a fixed cost to each entity reference. Entity amplification checks are now enabled even if XML_PARSE_HUGE is set. This option is mainly used to allow larger text nodes. Most users were unaware that it also disabled entity expansion checks. Some of the limits might be adjusted later. If this change turns out to affect legitimate use cases, we can add a separate parser option to disable the checks. Fixes #294. Fixes #345.

dd3569ea

2022-12-08T02:43:17

Remove XMLDECL macro from .c files

34a5a4a5

2022-11-22T15:40:51

tests: Remove unneeded #includes

5bffa33a

2022-09-02T05:03:03

Stop including sys/types.h

2489c1d0

2022-02-28T22:42:10

Remove useless __CYGWIN__ checks From what I can tell, some really early Cygwin versions from around 1998-2000 used to erroneously define _WIN32. This was eventually fixed, but these days, the `defined(_WIN32) && !defined(__CYGWIN__)` idiom is unnecessary. Now, we only check for __CYGWIN__ in xmlexports.h when deciding whether to use __declspec.

2a350ee9

2019-09-30T17:04:54

Large batch of typo fixes Closes #109.

8919885f

2019-01-01T16:30:38

Fix -Wformat-truncation warnings (GCC 8)

154824ee

2017-10-21T14:07:38

Fix unused variable warnings in testrecurse

c3b1d09b

2012-08-13T16:50:48

clean redefinition of {v}snprintf in C-source as those from *config.h are preferable (e.g. win32config.h)

1f0453f7

2012-08-13T16:56:11

minimize use of HAVE_CONFIG_H as build process for supported platforms provide "config.h" header file

b60e612e

2012-07-18T16:21:17

Small cleanup of unused variables in test

22030ef8

2012-05-23T15:52:45

Restore code for Windows compilation Try to keep as close to rc1 but still allow the change from Roumen for mingw

978ff224

2012-05-20T16:07:54

use mingw C99 compatible functions {v}snprintf instead those from MSVC runtime

0161e638

2008-08-28T15:36:32

completely different fix for the recursion detection based on entity * parser.c include/libxml/parser.h: completely different fix for the recursion detection based on entity density, big cleanups in the entity parsing code too * result/*.sax*: the parser should not ask for used defined versions of the predefined entities * testrecurse.c: automatic test for entity recursion checks * Makefile.am: added testrecurse * test/recurse/lol* test/recurse/good*: a first set of tests for the recursion Daniel svn path=/trunk/; revision=3783

kc3-lang/libxml2/testrecurse.c

testrecurse.c

Log