From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: "Michał Górny" <mgorny@gentoo.org>
Subject: [gentoo-dev] [PATCH 1/2] glep-0068: Clarify and restrict XML data format
Date: Sat, 8 Oct 2022 08:40:20 +0200 [thread overview]
Message-ID: <20221008064021.60348-2-mgorny@gentoo.org> (raw)
In-Reply-To: <20221008064021.60348-1-mgorny@gentoo.org>
Explicitly specify XML 1.0 and link to the specification. Forbid
"external markup declarations" and processing DTDs to secure against
common XML attacks.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
glep-0068.rst | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/glep-0068.rst b/glep-0068.rst
index 78ac7ea..d3e3611 100644
--- a/glep-0068.rst
+++ b/glep-0068.rst
@@ -6,8 +6,8 @@ Type: Standards Track
Status: Final
Version: 1.2
Created: 2016-03-14
-Last-Modified: 2022-05-22
-Post-History: 2016-03-16, 2018-02-20, 2022-05-22
+Last-Modified: 2022-10-07
+Post-History: 2016-03-16, 2018-02-20, 2022-05-22, 2022-10-07
Content-Type: text/x-rst
Requires: 67
Replaces: 34, 46, 56
@@ -59,10 +59,14 @@ Metadata files
--------------
This specification provides two kinds of metadata files: category metadata
-files and package metadata files. Both kinds of files use XML file format
-with structure defined in this GLEP. The XML structure does not use
-a namespace and must not contain any elements outside the scope of this
-specification.
+files and package metadata files. Both kinds of files use the XML 1.0 file
+format [#XML10]_. They must not use external markup declarations, as defined
+in the XML specification. While they may reference or include a DTD, the parser
+must not fetch or process it.
+
+The data structure of metadata files is defined in this GLEP. The elements
+and attributes do not use namespaces. Conforming files must not contain
+any elements or attributes that are not defined in this specification.
Category metadata files are named ``metadata.xml`` and located inside category
directories in an ebuild repository. Their structure is described
@@ -516,6 +520,9 @@ References
.. [#METADATA-DTD] The original metadata.dtd file
https://gitweb.gentoo.org/data/dtd.git/tree/metadata.dtd?id=a908a93b5afe295359e0a01814c9bef8b5268bcd
+.. [#XML10] Extensible Markup Language (XML) 1.0 (Fifth Edition)
+ https://www.w3.org/TR/xml/
+
.. [#BCP-47] BCP 47: "Tags for identifying languages",
https://tools.ietf.org/rfc/bcp/bcp47.txt
--
2.38.0
next prev parent reply other threads:[~2022-10-08 6:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-08 6:40 [gentoo-dev] [PATCH 0/2] glep-0068: Stricten the XML format Michał Górny
2022-10-08 6:40 ` Michał Górny [this message]
2022-10-08 6:40 ` [gentoo-dev] [PATCH 2/2] glep-0068: Indicate that unknown elements should be ignored Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221008064021.60348-2-mgorny@gentoo.org \
--to=mgorny@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox