On Mon, Nov 24, 2014 at 10:22 PM, Thorsten Glaser <t.gla...@tarent.de> wrote: > Source: libxml2 > Version: 2.9.2+dfsg1-1 > Severity: wishlist > Tags: patch upstream forwarded-upstream > Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=739574 > > Hi, > > please consider applying the attached patch in subsequent uploads, > at least until upstream has integrated it. It fixes: > > • replace several ad-hōc UTF-8 decoders with calls to one that > does the thing right (validate input string length and encoding, > and check for minimal encoded values) > > • in several places, check the values for being actually ok in > XML documents, which limits what Unicode codepoints may be used > ‣ when there was already error handling in place, re-use that > ‣ otherwise silently drop the characters, to not break any > existing application > > This prevents e.g. a SOAP-WS client written in PHP from sending > invalid XML as SOAP request over the wire for strings containing > e.g. literal backspace characters. >
I'd rather wait for upstream's reaction for a longer time, since deltas to libxml2 from upstream must be dealt carefully (as said, the more you read the code then...). Thanks, Aron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
