From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AB2ED158094 for ; Sat, 8 Oct 2022 06:40:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 73573E0997; Sat, 8 Oct 2022 06:40:27 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3C40CE0992 for ; Sat, 8 Oct 2022 06:40:27 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH 1/2] glep-0068: Clarify and restrict XML data format Date: Sat, 8 Oct 2022 08:40:20 +0200 Message-Id: <20221008064021.60348-2-mgorny@gentoo.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221008064021.60348-1-mgorny@gentoo.org> References: <20221008064021.60348-1-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 10c4ef67-af5c-4efe-8ff0-b767638b521b X-Archives-Hash: 4d61adc91d2880c845063a1a14257fc0 Explicitly specify XML 1.0 and link to the specification. Forbid "external markup declarations" and processing DTDs to secure against common XML attacks. Signed-off-by: Michał Górny --- glep-0068.rst | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/glep-0068.rst b/glep-0068.rst index 78ac7ea..d3e3611 100644 --- a/glep-0068.rst +++ b/glep-0068.rst @@ -6,8 +6,8 @@ Type: Standards Track Status: Final Version: 1.2 Created: 2016-03-14 -Last-Modified: 2022-05-22 -Post-History: 2016-03-16, 2018-02-20, 2022-05-22 +Last-Modified: 2022-10-07 +Post-History: 2016-03-16, 2018-02-20, 2022-05-22, 2022-10-07 Content-Type: text/x-rst Requires: 67 Replaces: 34, 46, 56 @@ -59,10 +59,14 @@ Metadata files -------------- This specification provides two kinds of metadata files: category metadata -files and package metadata files. Both kinds of files use XML file format -with structure defined in this GLEP. The XML structure does not use -a namespace and must not contain any elements outside the scope of this -specification. +files and package metadata files. Both kinds of files use the XML 1.0 file +format [#XML10]_. They must not use external markup declarations, as defined +in the XML specification. While they may reference or include a DTD, the parser +must not fetch or process it. + +The data structure of metadata files is defined in this GLEP. The elements +and attributes do not use namespaces. Conforming files must not contain +any elements or attributes that are not defined in this specification. Category metadata files are named ``metadata.xml`` and located inside category directories in an ebuild repository. Their structure is described @@ -516,6 +520,9 @@ References .. [#METADATA-DTD] The original metadata.dtd file https://gitweb.gentoo.org/data/dtd.git/tree/metadata.dtd?id=a908a93b5afe295359e0a01814c9bef8b5268bcd +.. [#XML10] Extensible Markup Language (XML) 1.0 (Fifth Edition) + https://www.w3.org/TR/xml/ + .. [#BCP-47] BCP 47: "Tags for identifying languages", https://tools.ietf.org/rfc/bcp/bcp47.txt -- 2.38.0