nokogiri 1.8.4-java → 1.8.5-java

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of nokogiri might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 89365a54954eca0ebe751dcc006dd77a601940d7
4
- data.tar.gz: fe3cc54b01faa92e10e14686da63092a5fd4282e
3
+ metadata.gz: e9727f93d46220b9a004551304a4ec6cba2243ac
4
+ data.tar.gz: 41168fc5b0521a0d28c06790cfc9c33b4ec0d37c
5
5
  SHA512:
6
- metadata.gz: 445eefd9f3c2681b119c8c68fa6acbe52b3299fcc914c08c5d74e3533c3e95bcafa58f8124559ed93aea8544d4983c21ad0d0e78be047cfae73dbc03f3c5a9e9
7
- data.tar.gz: a4c40ea7f308c5dcc9214a88adb7364a9fbebef95248d7aa472f255e84155f816ed8719f37719dd86566fd99ff3e0016bb3dff069c75725b60e81a480643239b
6
+ metadata.gz: 737c5fa0fff34cb9f8976f57c0b5b5dfe465b288b420f60af77159ca95c4b7d7dce7c990f1ef692fc0eccf94bcfed468ea483a377ca5784858fbfa3893585f0b
7
+ data.tar.gz: 88d8fbfe169eff929bc5fca87a5316c5d2a42f56bf07263e8a63e48a893ee4edd3c3292f144f36044ac53d321338dbd668912ded2077d962e0637d4c43936b01
@@ -1,3 +1,16 @@
1
+ # 1.8.5 / 2018-10-04
2
+
3
+ ## Security Notes
4
+
5
+ [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785](https://github.com/sparklemotion/nokogiri/issues/1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
6
+
7
+
8
+ ## Bug fixes
9
+
10
+ * [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
11
+ * [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
12
+
13
+
1
14
  # 1.8.4 / 2018-07-03
2
15
 
3
16
  ## Bug fixes
@@ -251,6 +251,8 @@ lib/xercesImpl.jar
251
251
  lib/xml-apis.jar
252
252
  lib/xsd/xmlparser/nokogiri.rb
253
253
  patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
254
+ patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch
255
+ patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch
254
256
  patches/sort-patches-by-date
255
257
  suppressions/README.txt
256
258
  suppressions/nokogiri_ruby-2.supp
data/build_all CHANGED
@@ -17,27 +17,27 @@ fi
17
17
 
18
18
  set -o errexit
19
19
 
20
- rm -rf tmp pkg
21
- bundle exec rake clean clobber
20
+ # rm -rf tmp pkg
21
+ # bundle exec rake clean clobber
22
22
 
23
- # holding pen
24
- rm -rf gems
25
- mkdir -p gems
23
+ # # holding pen
24
+ # rm -rf gems
25
+ # mkdir -p gems
26
26
 
27
- # windows
28
- bundle exec rake gem:windows
29
- cp -v pkg/nokogiri*{x86,x64}-mingw32*.gem gems
27
+ # # windows
28
+ # bundle exec rake gem:windows
29
+ # cp -v pkg/nokogiri*{x86,x64}-mingw32*.gem gems
30
30
 
31
- # MRI
32
- bundle exec rake clean
33
- bundle exec rake gem
34
- cp -v pkg/nokogiri*.gem gems
31
+ # # MRI
32
+ # bundle exec rake clean
33
+ # bundle exec rake gem
34
+ # cp -v pkg/nokogiri*.gem gems
35
35
 
36
36
  # jruby
37
37
  bundle exec rake clean clobber
38
38
  bundle exec rake generate
39
39
 
40
- rvm jruby
40
+ rvm jruby-9.1
41
41
  gem install bundler --conservative
42
42
  bundle install --quiet --local || bundle install
43
43
  bundle exec ruby -S rake gem
@@ -33,7 +33,16 @@
33
33
  package nokogiri;
34
34
 
35
35
  import static java.lang.Math.max;
36
- import static nokogiri.internals.NokogiriHelpers.*;
36
+ import static nokogiri.internals.NokogiriHelpers.clearXpathContext;
37
+ import static nokogiri.internals.NokogiriHelpers.convertEncoding;
38
+ import static nokogiri.internals.NokogiriHelpers.convertString;
39
+ import static nokogiri.internals.NokogiriHelpers.getCachedNodeOrCreate;
40
+ import static nokogiri.internals.NokogiriHelpers.getNokogiriClass;
41
+ import static nokogiri.internals.NokogiriHelpers.isBlank;
42
+ import static nokogiri.internals.NokogiriHelpers.nodeArrayToRubyArray;
43
+ import static nokogiri.internals.NokogiriHelpers.nonEmptyStringOrNil;
44
+ import static nokogiri.internals.NokogiriHelpers.rubyStringToString;
45
+ import static nokogiri.internals.NokogiriHelpers.stringOrNil;
37
46
 
38
47
  import java.io.ByteArrayInputStream;
39
48
  import java.io.InputStream;
@@ -43,18 +52,12 @@ import java.util.ArrayList;
43
52
  import java.util.Iterator;
44
53
  import java.util.List;
45
54
 
46
- import nokogiri.internals.HtmlDomParserContext;
47
- import nokogiri.internals.NokogiriHelpers;
48
- import nokogiri.internals.NokogiriNamespaceCache;
49
- import nokogiri.internals.SaveContextVisitor;
50
- import nokogiri.internals.XmlDomParserContext;
51
-
52
55
  import org.apache.xerces.dom.CoreDocumentImpl;
53
56
  import org.jruby.Ruby;
54
57
  import org.jruby.RubyArray;
55
58
  import org.jruby.RubyClass;
56
- import org.jruby.RubyInteger;
57
59
  import org.jruby.RubyFixnum;
60
+ import org.jruby.RubyInteger;
58
61
  import org.jruby.RubyModule;
59
62
  import org.jruby.RubyObject;
60
63
  import org.jruby.RubyString;
@@ -76,6 +79,12 @@ import org.w3c.dom.Node;
76
79
  import org.w3c.dom.NodeList;
77
80
  import org.w3c.dom.Text;
78
81
 
82
+ import nokogiri.internals.HtmlDomParserContext;
83
+ import nokogiri.internals.NokogiriHelpers;
84
+ import nokogiri.internals.NokogiriNamespaceCache;
85
+ import nokogiri.internals.SaveContextVisitor;
86
+ import nokogiri.internals.XmlDomParserContext;
87
+
79
88
  /**
80
89
  * Class for Nokogiri::XML::Node
81
90
  *
@@ -1542,6 +1551,10 @@ public class XmlNode extends RubyObject {
1542
1551
  try {
1543
1552
  Document prev = otherNode.getOwnerDocument();
1544
1553
  Document doc = thisNode.getOwnerDocument();
1554
+ if (doc == null && thisNode instanceof Document) {
1555
+ // we are adding the new node to a new empty document
1556
+ doc = (Document) thisNode;
1557
+ }
1545
1558
  clearXpathContext(prev);
1546
1559
  clearXpathContext(doc);
1547
1560
  if (doc != null && doc != otherNode.getOwnerDocument()) {
@@ -434,7 +434,7 @@ end
434
434
 
435
435
  if RbConfig::MAKEFILE_CONFIG['CC'] =~ /gcc/
436
436
  $CFLAGS << " -O3" unless $CFLAGS[/-O\d/]
437
- $CFLAGS << " -Wall -Wcast-qual -Wwrite-strings -Wextra -Wmissing-noreturn -Winline"
437
+ $CFLAGS << " -Wall -Wcast-qual -Wwrite-strings -Wmissing-noreturn -Winline"
438
438
  end
439
439
 
440
440
  case
Binary file
@@ -1,6 +1,6 @@
1
1
  module Nokogiri
2
2
  # The version of Nokogiri you are using
3
- VERSION = '1.8.4'
3
+ VERSION = '1.8.5'
4
4
 
5
5
  class VersionInfo # :nodoc:
6
6
  def jruby?
@@ -0,0 +1,54 @@
1
+ From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
2
+ From: Nick Wellnhofer <wellnhofer@aevum.de>
3
+ Date: Mon, 30 Jul 2018 12:54:38 +0200
4
+ Subject: [PATCH] Fix nullptr deref with XPath logic ops
5
+
6
+ If the XPath stack is corrupted, for example by a misbehaving extension
7
+ function, the "and" and "or" XPath operators could dereference NULL
8
+ pointers. Check that the XPath stack isn't empty and optimize the
9
+ logic operators slightly.
10
+
11
+ Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
12
+
13
+ Also see
14
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
15
+ https://bugzilla.redhat.com/show_bug.cgi?id=1595985
16
+
17
+ This is CVE-2018-14404.
18
+
19
+ Thanks to Guy Inbar for the report.
20
+ ---
21
+ xpath.c | 10 ++++------
22
+ 1 file changed, 4 insertions(+), 6 deletions(-)
23
+
24
+ diff --git a/xpath.c b/xpath.c
25
+ index 3fae0bf..5e3bb9f 100644
26
+ --- a/xpath.c
27
+ +++ b/xpath.c
28
+ @@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
29
+ return(0);
30
+ }
31
+ xmlXPathBooleanFunction(ctxt, 1);
32
+ - arg1 = valuePop(ctxt);
33
+ - arg1->boolval &= arg2->boolval;
34
+ - valuePush(ctxt, arg1);
35
+ + if (ctxt->value != NULL)
36
+ + ctxt->value->boolval &= arg2->boolval;
37
+ xmlXPathReleaseObject(ctxt->context, arg2);
38
+ return (total);
39
+ case XPATH_OP_OR:
40
+ @@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
41
+ return(0);
42
+ }
43
+ xmlXPathBooleanFunction(ctxt, 1);
44
+ - arg1 = valuePop(ctxt);
45
+ - arg1->boolval |= arg2->boolval;
46
+ - valuePush(ctxt, arg1);
47
+ + if (ctxt->value != NULL)
48
+ + ctxt->value->boolval |= arg2->boolval;
49
+ xmlXPathReleaseObject(ctxt->context, arg2);
50
+ return (total);
51
+ case XPATH_OP_EQUAL:
52
+ --
53
+ 2.17.1
54
+
@@ -0,0 +1,50 @@
1
+ From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
2
+ From: Nick Wellnhofer <wellnhofer@aevum.de>
3
+ Date: Mon, 30 Jul 2018 13:14:11 +0200
4
+ Subject: [PATCH] Fix infinite loop in LZMA decompression
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ Check the liblzma error code more thoroughly to avoid infinite loops.
10
+
11
+ Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
12
+ Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
13
+
14
+ This is CVE-2018-9251 and CVE-2018-14567.
15
+
16
+ Thanks to Dongliang Mu and Simon Wörner for the reports.
17
+ ---
18
+ xzlib.c | 9 +++++++++
19
+ 1 file changed, 9 insertions(+)
20
+
21
+ diff --git a/xzlib.c b/xzlib.c
22
+ index a839169..0ba88cf 100644
23
+ --- a/xzlib.c
24
+ +++ b/xzlib.c
25
+ @@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
26
+ "internal error: inflate stream corrupt");
27
+ return -1;
28
+ }
29
+ + /*
30
+ + * FIXME: Remapping a couple of error codes and falling through
31
+ + * to the LZMA error handling looks fragile.
32
+ + */
33
+ if (ret == Z_MEM_ERROR)
34
+ ret = LZMA_MEM_ERROR;
35
+ if (ret == Z_DATA_ERROR)
36
+ @@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
37
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
38
+ return -1;
39
+ }
40
+ + if ((state->how != GZIP) &&
41
+ + (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
42
+ + xz_error(state, ret, "lzma error");
43
+ + return -1;
44
+ + }
45
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
46
+
47
+ /* update available output and crc check value */
48
+ --
49
+ 2.17.1
50
+
@@ -197,6 +197,17 @@ module Nokogiri
197
197
  end
198
198
  end
199
199
 
200
+ describe "given the new document is empty" do
201
+ it "adds the node to the new document" do
202
+ doc1 = Nokogiri::XML.parse("<value>3</value>")
203
+ doc2 = Nokogiri::XML::Document.new
204
+ node = doc1.at_xpath("//value")
205
+ node.remove
206
+ doc2.add_child(node)
207
+ assert_match /<value>3<\/value>/, doc2.to_xml
208
+ end
209
+ end
210
+
200
211
  describe "given a parent node with a default namespace" do
201
212
  before do
202
213
  @doc = Nokogiri::XML(<<-eoxml)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: nokogiri
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.4
4
+ version: 1.8.5
5
5
  platform: java
6
6
  authors:
7
7
  - Aaron Patterson
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2018-07-03 00:00:00.000000000 Z
17
+ date: 2018-10-05 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  requirement: !ruby/object:Gem::Requirement
@@ -515,6 +515,8 @@ files:
515
515
  - lib/xml-apis.jar
516
516
  - lib/xsd/xmlparser/nokogiri.rb
517
517
  - patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
518
+ - patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch
519
+ - patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch
518
520
  - patches/sort-patches-by-date
519
521
  - suppressions/README.txt
520
522
  - suppressions/nokogiri_ruby-2.supp
@@ -652,7 +654,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
652
654
  version: '0'
653
655
  requirements: []
654
656
  rubyforge_project:
655
- rubygems_version: 2.6.14
657
+ rubygems_version: 2.6.14.1
656
658
  signing_key:
657
659
  specification_version: 4
658
660
  summary: Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser