RubyGems - nokogiri - Versions diffs - 1.10.5-java → 1.10.10-java - Mend

nokogiri 1.10.5-java → 1.10.10-java

Potentially problematic release.

This version of nokogiri might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +4 -4
data/ext/java/nokogiri/XmlNodeSet.java +2 -1
data/ext/nokogiri/xml_schema.c +29 -0
data/lib/nokogiri/nokogiri.jar +0 -0
data/lib/nokogiri/version.rb +1 -1
metadata +16 -14
data/patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch +0 -78
data/patches/libxml2/0002-Remove-script-macro-support.patch +0 -40
data/patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch +0 -44

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db9dd50706263400b39bffa662a8f17ce6985dcc26703bd2c05583b647cf03b4
-  data.tar.gz: e6a04af92285bedbb11d877c93422aaf382d4b39059815173e9f678f495062c0
+  metadata.gz: c0009aa757c5f24adc1777f12c38fe9f92ba330ab1a09a7b90c07f9de699fde8
+  data.tar.gz: b6e4303b1f66db490393579f326f2efa057c0a34163d26645ec54e413998d835
 SHA512:
-  metadata.gz: d2bf182f13f6267aadf73eb5b0c450bd4adcc99c8af39ba63d782822d5e3de99a272c1bf1e9a7ae722a2f8c9fa9c5c930ba96d4bc7a606e5d73c4768fdb9acf0
-  data.tar.gz: 123ebc8ad24bcdec9cd839059cf76d33a2b5b1d09163e4ff4f43efe8f8a5bdbc086c5d02e21ad34fc5a54457a82c0db411687f1251fa606251e70356cd64f8c0
+  metadata.gz: b08ec706a72a4e9c9d194ca65807bc79c713736102334b189f4ab5d6c79742e510c0d4bfbf6494abcbf7e4ba5deeb824c86d76297c9f21d743e1c3a8853da8a5
+  data.tar.gz: a65b8b0235672dac4762cb5d7c0ab38e6fc1ff426b4135bf6fa297f2932cf8abe4ed181c8ead804cf1f34e63f96a6dd401041a6135c2391a816335e78ce8546a

data/ext/java/nokogiri/XmlNodeSet.java CHANGED

@@ -39,6 +39,7 @@ import static nokogiri.internals.NokogiriHelpers.nodeListToRubyArray;
 import java.util.Arrays;
 import org.jruby.Ruby;
+import org.jruby.RubyArray;
 import org.jruby.RubyClass;
 import org.jruby.RubyFixnum;
 import org.jruby.RubyObject;
@@ -391,7 +392,7 @@ outer:
     }
     @JRubyMethod(name = {"to_a", "to_ary"})
-    public IRubyObject to_a(ThreadContext context) {
+    public RubyArray to_a(ThreadContext context) {
         return context.runtime.newArrayNoCopy(nodes);
     }

data/ext/nokogiri/xml_schema.c CHANGED

@@ -133,6 +133,31 @@ static VALUE read_memory(VALUE klass, VALUE content)
   return rb_schema;
 }
+/* Schema creation will remove and deallocate "blank" nodes.
+ * If those blank nodes have been exposed to Ruby, they could get freed
+ * out from under the VALUE pointer.  This function checks to see if any of
+ * those nodes have been exposed to Ruby, and if so we should raise an exception.
+ */
+static int has_blank_nodes_p(VALUE cache)
+{
+    long i;
+    if (NIL_P(cache)) {
+        return 0;
+    }
+    for (i = 0; i < RARRAY_LEN(cache); i++) {
+        xmlNodePtr node;
+        VALUE element = rb_ary_entry(cache, i);
+        Data_Get_Struct(element, xmlNode, node);
+        if (xmlIsBlankNode(node)) {
+            return 1;
+        }
+    }
+    return 0;
+}
 /*
  * call-seq:
  *  from_document(doc)
@@ -152,6 +177,10 @@ static VALUE from_document(VALUE klass, VALUE document)
   /* In case someone passes us a node. ugh. */
   doc = doc->doc;
+  if (has_blank_nodes_p(DOC_NODE_CACHE(doc))) {
+    rb_raise(rb_eArgError, "Creating a schema from a document that has blank nodes exposed to Ruby is dangerous");
+  }
   ctx = xmlSchemaNewDocParserCtxt(doc);
   errors = rb_ary_new();

data/lib/nokogiri/nokogiri.jar CHANGED

Binary file

data/lib/nokogiri/version.rb CHANGED

@@ -1,6 +1,6 @@
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = "1.10.5"
+  VERSION = "1.10.10"
   class VersionInfo # :nodoc:
     def jruby?

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri
 version: !ruby/object:Gem::Version
-  version: 1.10.5
+  version: 1.10.10
 platform: java
 authors:
 - Aaron Patterson
@@ -14,7 +14,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-31 00:00:00.000000000 Z
+date: 2020-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -133,7 +133,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.1.0
   name: rake-compiler
   prerelease: false
   type: :development
@@ -141,13 +141,13 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.1.0
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: '1.0'
   name: rake-compiler-dock
   prerelease: false
   type: :development
@@ -155,7 +155,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -223,7 +223,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.22'
   name: hoe
   prerelease: false
   type: :development
@@ -231,7 +231,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.22'
 description: |-
   Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.  Among
   Nokogiri's many features is the ability to search documents via XPath
@@ -522,13 +522,15 @@ files:
 - lib/xercesImpl.jar
 - lib/xml-apis.jar
 - lib/xsd/xmlparser/nokogiri.rb
-- patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
-- patches/libxml2/0002-Remove-script-macro-support.patch
-- patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch
-homepage:
+homepage: https://nokogiri.org
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://nokogiri.org
+  bug_tracker_uri: https://github.com/sparklemotion/nokogiri/issues
+  documentation_uri: https://nokogiri.org/rdoc/index.html
+  changelog_uri: https://nokogiri.org/CHANGELOG.html
+  source_code_uri: https://github.com/sparklemotion/nokogiri
 post_install_message:
 rdoc_options:
 - "--main"
@@ -547,7 +549,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.7.6
+rubygems_version: 2.7.10
 signing_key:
 specification_version: 4
 summary: Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser

data/patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch DELETED

@@ -1,78 +0,0 @@
-From c5538465c08a8ea248a370bf55bc39cd3385e4af Mon Sep 17 00:00:00 2001
-From: Mike Dalessio <mike.dalessio@gmail.com>
-Date: Thu, 29 Mar 2018 14:09:00 -0400
-Subject: [PATCH] Revert "Do not URI escape in server side includes"
-This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
----
- HTMLtree.c | 49 +++++++++++--------------------------------------
- 1 file changed, 11 insertions(+), 38 deletions(-)
-diff --git a/HTMLtree.c b/HTMLtree.c
-index 2fd0c9c..67160c5 100644
---- a/HTMLtree.c
-+++ b/HTMLtree.c
-@@ -717,49 +717,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
- 		 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
- 		 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
- 		  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
-+		xmlChar *escaped;
- 		xmlChar *tmp = value;
--		/* xmlURIEscapeStr() escapes '"' so it can be safely used. */
--		xmlBufCCat(buf->buffer, "\"");
- 		while (IS_BLANK_CH(*tmp)) tmp++;
--		/* URI Escape everything, except server side includes. */
--		for ( ; ; ) {
--		    xmlChar *escaped;
--		    xmlChar endChar;
--		    xmlChar *end = NULL;
--		    xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
--		    if (start != NULL) {
--			end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
--			if (end != NULL) {
--			    *start = '\0';
--			}
--		    }
--
--		    /* Escape the whole string, or until start (set to '\0'). */
--		    escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
--		    if (escaped != NULL) {
--		        xmlBufCat(buf->buffer, escaped);
--		        xmlFree(escaped);
--		    } else {
--		        xmlBufCat(buf->buffer, tmp);
--		    }
--
--		    if (end == NULL) { /* Everything has been written. */
--			break;
--		    }
--
--		    /* Do not escape anything within server side includes. */
--		    *start = '<'; /* Restore the first character of "<!--". */
--		    end += 3; /* strlen("-->") */
--		    endChar = *end;
--		    *end = '\0';
--		    xmlBufCat(buf->buffer, start);
--		    *end = endChar;
--		    tmp = end;
-+		/*
-+		 * the < and > have already been escaped at the entity level
-+		 * And doing so here breaks server side includes
-+		 */
-+		escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
-+		if (escaped != NULL) {
-+		    xmlBufWriteQuotedString(buf->buffer, escaped);
-+		    xmlFree(escaped);
-+		} else {
-+		    xmlBufWriteQuotedString(buf->buffer, value);
- 		}
--
--		xmlBufCCat(buf->buffer, "\"");
- 	    } else {
- 		xmlBufWriteQuotedString(buf->buffer, value);
- 	    }
---
-2.9.5

data/patches/libxml2/0002-Remove-script-macro-support.patch DELETED

@@ -1,40 +0,0 @@
-From 27e4aa8d885e47a296ea78d114dbbe8fc7aa3508 Mon Sep 17 00:00:00 2001
-From: Kevin Solorio <soloriok@gmail.com>
-Date: Fri, 1 Feb 2019 14:32:42 -0800
-Subject: [PATCH] Revert-support-html-h-b-7-1
----
- entities.c | 17 -----------------
- 1 file changed, 17 deletions(-)
-diff --git a/entities.c b/entities.c
-index 43549bc5..82652f6d 100644
---- a/entities.c
-+++ b/entities.c
-@@ -623,23 +623,6 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
- 	    *out++ = 't';
- 	    *out++ = ';';
- 	} else if (*cur == '&') {
--	    /*
--	     * Special handling of &{...} construct from HTML 4, see
--	     * http://www.w3.org/TR/html401/appendix/notes.html#h-B.7.1
--	     */
--	    if (html && attr && (cur[1] == '{') &&
--	        (strchr((const char *) cur, '}'))) {
--	        while (*cur != '}') {
--		    *out++ = *cur++;
--		    indx = out - buffer;
--		    if (indx + 100 > buffer_size) {
--			growBufferReentrant();
--			out = &buffer[indx];
--		    }
--		}
--		*out++ = *cur++;
--		continue;
--	    }
- 	    *out++ = '&';
- 	    *out++ = 'a';
- 	    *out++ = 'm';
---
-2.16.2

data/patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch DELETED

@@ -1,44 +0,0 @@
-From ffc08467744bd2305d41ca882c37fa30adf3a067 Mon Sep 17 00:00:00 2001
-From: Kevin Solorio <soloriok@gmail.com>
-Date: Wed, 27 Feb 2019 14:34:17 -0800
-Subject: [PATCH 2/2] update entities.c to remove handling of ssi
----
- entities.c | 21 ---------------------
- 1 file changed, 21 deletions(-)
-diff --git a/entities.c b/entities.c
-index 43549bc5..5c4a2a60 100644
---- a/entities.c
-+++ b/entities.c
-@@ -592,27 +592,6 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
- 	 * By default one have to encode at least '<', '>', '"' and '&' !
- 	 */
- 	if (*cur == '<') {
--	    const xmlChar *end;
--
--	    /*
--	     * Special handling of server side include in HTML attributes
--	     */
--	    if (html && attr &&
--	        (cur[1] == '!') && (cur[2] == '-') && (cur[3] == '-') &&
--	        ((end = xmlStrstr(cur, BAD_CAST "-->")) != NULL)) {
--	        while (cur != end) {
--		    *out++ = *cur++;
--		    indx = out - buffer;
--		    if (indx + 100 > buffer_size) {
--			growBufferReentrant();
--			out = &buffer[indx];
--		    }
--		}
--		*out++ = *cur++;
--		*out++ = *cur++;
--		*out++ = *cur++;
--		continue;
--	    }
- 	    *out++ = '&';
- 	    *out++ = 'l';
- 	    *out++ = 't';
---
-2.16.2