From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 01D94158094 for ; Sat, 8 Oct 2022 06:40:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 560DDE0971; Sat, 8 Oct 2022 06:40:26 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 18CA4E0969 for ; Sat, 8 Oct 2022 06:40:26 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH 0/2] glep-0068: Stricten the XML format Date: Sat, 8 Oct 2022 08:40:19 +0200 Message-Id: <20221008064021.60348-1-mgorny@gentoo.org> X-Mailer: git-send-email 2.38.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: b667a499-7c71-4223-a7a4-64fd50bee0ed X-Archives-Hash: 8bd165470c52d1686d7843a3a8a60e6a Hi, The spec is a bit lax about the XML features allowed. However, we don't really expect people to use fancy features like custom entities, XInclude, etc. Let's formally stricten the spec to disallow anything remote or potentially dangerous to at least protect implementations from the most common XML security problems. While at it, let's make it clear that while we don't permit elements outside the spec in metadata.xml files, we may add new elements or attributes in future versions. I'm not sure whether we should be increasing the version number here. On one hand, the change roughly matches the original intent (i.e. no metadata.xml files should be broken by it, and implementation should not have been processing external DTDs or anything like that anyway). On the other, technically speaking the new version is more restrictive than the old one, so a major version bump would be correct. WDYT? Michał Górny (2): glep-0068: Clarify and restrict XML data format glep-0068: Indicate that unknown elements should be ignored glep-0068.rst | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) -- 2.38.0