From noreply at sourceforge.net Sun Jun 3 17:38:02 2007 From: noreply at sourceforge.net (SourceForge.net) Date: Sun, 03 Jun 2007 08:38:02 -0700 Subject: [Expat-bugs] [ expat-Bugs-1632466 ] Error when I do make for expat2.0.0 Message-ID: Bugs item #1632466, was opened at 2007-01-10 10:13 Message generated for change (Comment added) made by kwaclaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1632466&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Build control Group: None >Status: Closed >Resolution: Rejected Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Greg Stein (gstein) Summary: Error when I do make for expat2.0.0 Initial Comment: # PATH=/usr/ccs/bin:$PATH make /bin/bash ./libtool --silent --mode=compile gcc -I./lib -I. -g -O2 -Wall -Wmissing-prototypes -Wstrict-prototypes -fexceptions -DHAVE_EXPAT_CONFIG_H -DXML_UNICODE -o lib/xmlparse.lo -c lib/xmlparse.c /bin/bash ./libtool --silent --mode=compile gcc -I./lib -I. -g -O2 -Wall -Wmissing-prototypes -Wstrict-prototypes -fexceptions -DHAVE_EXPAT_CONFIG_H -DXML_UNICODE -o lib/xmltok.lo -c lib/xmltok.c /bin/bash ./libtool --silent --mode=compile gcc -I./lib -I. -g -O2 -Wall -Wmissing-prototypes -Wstrict-prototypes -fexceptions -DHAVE_EXPAT_CONFIG_H -DXML_UNICODE -o lib/xmlrole.lo -c lib/xmlrole.c /bin/bash ./libtool --silent --mode=link gcc -I./lib -I. -g -O2 -Wall -Wmissing-prototypes -Wstrict-prototypes -fexceptions -DHAVE_EXPAT_CONFIG_H -DXML_UNICODE -no-undefined -version-info 6:0:5 -rpath /usr/local/lib/perl5/site_perl/lib -o libexpat.la lib/xmlparse.lo lib/xmltok.lo lib/xmlrole.lo ld: fatal: library -lgcc_s: not found ld: fatal: library -lgcc_s: not found ld: fatal: File processing errors. No output written to .libs/libexpat.so.1.5.0 collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `libexpat.la' ---------------------------------------------------------------------- >Comment By: Karl Waclawek (kwaclaw) Date: 2007-06-03 11:38 Message: Logged In: YES user_id=290026 Originator: NO Rejected - bug report too unspecific too act on it. ---------------------------------------------------------------------- Comment By: Karl Waclawek (kwaclaw) Date: 2007-05-04 21:25 Message: Logged In: YES user_id=290026 Originator: NO What platform is this on? Have you been able to fix this? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1632466&group_id=10127 From noreply at sourceforge.net Sun Jun 24 05:54:02 2007 From: noreply at sourceforge.net (SourceForge.net) Date: Sat, 23 Jun 2007 20:54:02 -0700 Subject: [Expat-bugs] [ expat-Bugs-1742315 ] Harmful XML_ParserCreateNS suggestion Message-ID: Bugs item #1742315, was opened at 2007-06-24 05:54 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1742315&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Documentation Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Bj?rn H?hrmann (hoehrmann) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: Harmful XML_ParserCreateNS suggestion Initial Comment: The documentation for XML_ParserCreateNS says for the sep parameter "you should pick a character for sep that can't be part of a legal URI". This is a very bad suggestion, for example, the test suite uses the space character and Google code search suggests other people are using among other things "|", "!", "#", "&", ":", "/", and tab. It is true that legal URIs cannot contain some of these characters such as space and tab, but xmlns attributes certainly can and Expat does not filter them out. Poorly written name expansion code is so easily vulnerable to attack. Instead, the documentation should strongly recommend against using any of these characters and recommend to use a character that cannot occur in XML_Char arrays. In particular, -1 and WCHAR_MAX cannot occur because UTF-8 prohibits 0xFF and XML prohibits U+FFFF. Another suggestion would be 0x01 if Expat will never support XML 1.1. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1742315&group_id=10127 From noreply at sourceforge.net Sun Jun 24 19:22:49 2007 From: noreply at sourceforge.net (SourceForge.net) Date: Sun, 24 Jun 2007 10:22:49 -0700 Subject: [Expat-bugs] [ expat-Bugs-1742315 ] Harmful XML_ParserCreateNS suggestion Message-ID: Bugs item #1742315, was opened at 2007-06-23 23:54 Message generated for change (Comment added) made by kwaclaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1742315&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Documentation Group: None Status: Open >Resolution: Fixed Priority: 5 Private: No Submitted By: Bj?rn H?hrmann (hoehrmann) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: Harmful XML_ParserCreateNS suggestion Initial Comment: The documentation for XML_ParserCreateNS says for the sep parameter "you should pick a character for sep that can't be part of a legal URI". This is a very bad suggestion, for example, the test suite uses the space character and Google code search suggests other people are using among other things "|", "!", "#", "&", ":", "/", and tab. It is true that legal URIs cannot contain some of these characters such as space and tab, but xmlns attributes certainly can and Expat does not filter them out. Poorly written name expansion code is so easily vulnerable to attack. Instead, the documentation should strongly recommend against using any of these characters and recommend to use a character that cannot occur in XML_Char arrays. In particular, -1 and WCHAR_MAX cannot occur because UTF-8 prohibits 0xFF and XML prohibits U+FFFF. Another suggestion would be 0x01 if Expat will never support XML 1.1. ---------------------------------------------------------------------- >Comment By: Karl Waclawek (kwaclaw) Date: 2007-06-24 13:22 Message: Logged In: YES user_id=290026 Originator: NO Although I am not quite sure how one would create an attack based on this weakness - not being a hacker myself, I do agree that the docs should be worded stronger. I think this issue has come up before, e.g. in bug # 918730. I committed a fix in reference.html rev. 1.74. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1742315&group_id=10127