RubyGems - nokogiri - Versions diffs - 1.10.5 → 1.10.10 - Mend

nokogiri 1.10.5 → 1.10.10

Potentially problematic release.

This version of nokogiri might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/ext/nokogiri/xml_schema.c +29 -0
data/lib/nokogiri/version.rb +1 -1
data/patches/libxml2/0004-libxml2.la-is-in-top_builddir.patch +25 -0
data/patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch +32 -0
metadata +18 -11

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d09078ee6949b248592e23a36f6aab7de47aefaf02f03056a5763214853f2c58
-  data.tar.gz: 1350d89ecb005263c7ed9432268385e2dca176866c1e065fdef1396a1978fa12
+  metadata.gz: 8ea976ad079c6e265a2275365b6572541c675b6815a8cc08b6cdd18e08f86764
+  data.tar.gz: 33d11553009bb7563d6594802e0de35f5c950d7df07b828c54b6411f573d4a99
 SHA512:
-  metadata.gz: d8a48d06cc6100c8ffa25b64ad6e3e4f839e8445a98191a4e1caef98d9f8fc648b6f1a578b79451b168141d166e4ba4c5a58c954b2805c4689983311f423eb15
-  data.tar.gz: bcafffbdfabf2370d543652b7b77f2b03c1c8ae6d9dbe1aaa05d042e619310ac861ee8458baab7ebe569f0d14ca6ec5bd60a4a379bd04aaf8dd8618d587be7ee
+  metadata.gz: c8b1e1b238c4a0f4354bb7358a31dbf2288cc654313267e65bbbacb996abf28eb7d40122fae3a27f0ae9a589531c6717a0f7be4660412b757a95b15e12661b30
+  data.tar.gz: 87769ba4a458792224e910db95258ae447714a0b732e69832d7ab643d798827e27faeafe29936067b4d07affb144dd88f6ab09de47e296c9f67b0bc4093176a8

data/ext/nokogiri/xml_schema.c CHANGED

@@ -133,6 +133,31 @@ static VALUE read_memory(VALUE klass, VALUE content)
   return rb_schema;
 }
+/* Schema creation will remove and deallocate "blank" nodes.
+ * If those blank nodes have been exposed to Ruby, they could get freed
+ * out from under the VALUE pointer.  This function checks to see if any of
+ * those nodes have been exposed to Ruby, and if so we should raise an exception.
+ */
+static int has_blank_nodes_p(VALUE cache)
+{
+    long i;
+    if (NIL_P(cache)) {
+        return 0;
+    }
+    for (i = 0; i < RARRAY_LEN(cache); i++) {
+        xmlNodePtr node;
+        VALUE element = rb_ary_entry(cache, i);
+        Data_Get_Struct(element, xmlNode, node);
+        if (xmlIsBlankNode(node)) {
+            return 1;
+        }
+    }
+    return 0;
+}
 /*
  * call-seq:
  *  from_document(doc)
@@ -152,6 +177,10 @@ static VALUE from_document(VALUE klass, VALUE document)
   /* In case someone passes us a node. ugh. */
   doc = doc->doc;
+  if (has_blank_nodes_p(DOC_NODE_CACHE(doc))) {
+    rb_raise(rb_eArgError, "Creating a schema from a document that has blank nodes exposed to Ruby is dangerous");
+  }
   ctx = xmlSchemaNewDocParserCtxt(doc);
   errors = rb_ary_new();

data/lib/nokogiri/version.rb CHANGED

@@ -1,6 +1,6 @@
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = "1.10.5"
+  VERSION = "1.10.10"
   class VersionInfo # :nodoc:
     def jruby?

data/patches/libxml2/0004-libxml2.la-is-in-top_builddir.patch ADDED

@@ -0,0 +1,25 @@
+From 0b6ae484761fa01242fe8b67b54e3eb2d282d83d Mon Sep 17 00:00:00 2001
+From: Mike Dalessio <mike.dalessio@gmail.com>
+Date: Wed, 4 Dec 2019 08:43:51 -0500
+Subject: [PATCH] fix libxml2.la's path
+---
+ Makefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Makefile.in b/Makefile.in
+index cf96d41..1372d8b 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -1057,7 +1057,7 @@ clean-noinstLTLIBRARIES:
+ 	  rm -f $${locs}; \
+ 	}
+-libxml2.la: $(libxml2_la_OBJECTS) $(libxml2_la_DEPENDENCIES) $(EXTRA_libxml2_la_DEPENDENCIES)
++$(top_builddir)/libxml2.la: $(libxml2_la_OBJECTS) $(libxml2_la_DEPENDENCIES) $(EXTRA_libxml2_la_DEPENDENCIES)
+ 	$(AM_V_CCLD)$(libxml2_la_LINK) -rpath $(libdir) $(libxml2_la_OBJECTS) $(libxml2_la_LIBADD) $(LIBS)
+ testdso.la: $(testdso_la_OBJECTS) $(testdso_la_DEPENDENCIES) $(EXTRA_testdso_la_DEPENDENCIES)
+--
+2.17.1

data/patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch ADDED

@@ -0,0 +1,32 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+Found with libFuzzer.
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/parser.c b/parser.c
+index d1c3196..a34bb6c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
++           (c != end2) && (c != end3) &&
++           (ctxt->instate != XML_PARSER_EOF)) {
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
+--
+2.17.1

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri
 version: !ruby/object:Gem::Version
-  version: 1.10.5
+  version: 1.10.10
 platform: ruby
 authors:
 - Aaron Patterson
@@ -14,7 +14,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-31 00:00:00.000000000 Z
+date: 2020-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mini_portile2
@@ -148,28 +148,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.1.0
 - !ruby/object:Gem::Dependency
   name: rake-compiler-dock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rexical
   requirement: !ruby/object:Gem::Requirement
@@ -238,14 +238,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.22'
 description: |-
   Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.  Among
   Nokogiri's many features is the ability to search documents via XPath
@@ -442,12 +442,19 @@ files:
 - patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
 - patches/libxml2/0002-Remove-script-macro-support.patch
 - patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch
+- patches/libxml2/0004-libxml2.la-is-in-top_builddir.patch
+- patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch
 - ports/archives/libxml2-2.9.10.tar.gz
 - ports/archives/libxslt-1.1.34.tar.gz
-homepage:
+homepage: https://nokogiri.org
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://nokogiri.org
+  bug_tracker_uri: https://github.com/sparklemotion/nokogiri/issues
+  documentation_uri: https://nokogiri.org/rdoc/index.html
+  changelog_uri: https://nokogiri.org/CHANGELOG.html
+  source_code_uri: https://github.com/sparklemotion/nokogiri
 post_install_message:
 rdoc_options:
 - "--main"
@@ -465,7 +472,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
 summary: Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser