Bug #131489 for MARC-XML: Test fails with XML-LibXML-2.0202

Thu Jan 16 03:54:17 2020 jplesnik [...] redhat.com - Ticket created

Subject:	Test fails with XML-LibXML-2.0202
Date:	Thu, 16 Jan 2020 09:47:27 +0100
To:	bug-MARC-XML [...] rt.cpan.org
From:	Jitka Plesnikova <jplesnik [...] redhat.com>

The test t/external-entities.t failed with XML-LibXML-2.0202. # Failed test 'should have refused to parse MARCXML record containing external entitities, but did not' # at t/external-entities.t line 64. # Looks like you failed 1 test of 2. t/external-entities.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/2 subtests It probably happened, because loading external DTDs or external entities is disabled by default in XML-LibXML-2.0202. -- Jitka Plesnikova

Wed Jan 29 07:34:08 2020 ppisar [...] redhat.com - Correspondence added

Dne Čt 16.led.2020 03:54:17, jplesnik napsal(a): Show quoted text

> The test t/external-entities.t failed with XML-LibXML-2.0202. > > # Failed test 'should have refused to parse MARCXML record > containing external entitities, but did not' > # at t/external-entities.t line 64. > # Looks like you failed 1 test of 2. > t/external-entities.t .. > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/2 subtests > > It probably happened, because loading external DTDs or external > entities > is disabled by default in XML-LibXML-2.0202.

Yes, that was the trigger. An attached patch adjusted the tests so that they pass with both old and new XML-LibXML. A downside of the patch is that it does not refuse parsing documents with external entities. They are silently skipped. A proper fix would require more (probably incompatible) changes in XML-LibXML and libxml2. A naive fix with enabling entities expansion would have security implications. Thus I decided for this kind of fix.

Subject:

MARC-XML-1.0.4-Adjust-tests-to-XML-LibXML-2.0202.patch

From c2b22e859a053a1b8e836d4a3fda43ed3af5bf8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Wed, 29 Jan 2020 13:21:10 +0100 Subject: [PATCH] Adjust tests to XML-LibXML-2.0202 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit XML-LibXML-2.0202 stopped setting expand_entities parser option. If the option is disabled, ext_ent_handler is never called and external entities are just skipped. No error is reported. Despite the name, internal intities are expanded. One could be tempted to enable expand_entities explicitly to get a parser error on an external entity. But there are weird security effects of that option and it's better to stick to libxml2 defaults <https://github.com/shlomif/perl-XML-LibXML/pull/39>. <https://rt.cpan.org/Public/Bug/Display.html?id=131489> Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- t/external-entities.t | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/t/external-entities.t b/t/external-entities.t index 08a592a..7b66e93 100644 --- a/t/external-entities.t +++ b/t/external-entities.t @@ -54,12 +54,19 @@ my $marc_ext_ent; eval { $marc_ext_ent = MARC::Record->new_from_xml($xml_ext_ent); }; -if ($@) { - like( - $@, - qr/External entities are not supported/, - 'refused to parse MARCXML record containing external entitities' - ); +# XML-LibXML-2.0202 stopped setting expand_entities parser option. If the +# option is disabled, ext_ent_handler is never called and external entities +# are just skipped. No error is reported. +if ($MARC::File::XML::parser->get_option('expand_entities')) { + if ($@) { + like( + $@, + qr/External entities are not supported/, + 'refused to parse MARCXML record containing external entitities' + ); + } else { + fail('should have refused to parse MARCXML record containing external entitities, but did not'); + } } else { - fail('should have refused to parse MARCXML record containing external entitities, but did not'); + is($marc_ext_ent->subfield('245', 'a'), 'I was run on /', 'external entities are ignored'); } -- 2.21.1

Wed Jan 29 07:34:09 2020 The RT System itself - Status changed from 'new' to 'open'