New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change namespace separator #78
Change namespace separator #78
Conversation
@@ -2479,7 +2479,8 @@ static WBXMLError decode_opaque_content(WBXMLParser *parser, | |||
case WBXML_LANG_SYNCML_SYNCML11: | |||
case WBXML_LANG_SYNCML_SYNCML12: | |||
/* NextNonce */ | |||
if ((parser->current_tag->wbxmlCodePage == 0x01) && | |||
if ((parser->current_tag) && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@SlavekB thanks for the PR, very nice! 👍
I tried running the tests without that^^ part of the patch and everything still passes. So it seems that part is not strictly related. I would like to vote to make that a separated pull request and to move it out of here for clarity, but just my two cents. Thanks a lot for working on this! 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This crash occurred when a damaged wbxml files was generated during tests. Therefore I put it as part of this PR. Because the second commit in this PR fixes problem with damaged wbxml files, the crash does not occur now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to keep as it makes the code more robust.
@SlavekB - can you please add a note to ChangeLog and your credits to the file THANKS too, please? |
A more general question, I am wondering what this change means in terms of SO naming for the generated library. Any opinions or hints, please? |
@bellmich depends on the other changes since the last release. This PR in isolation would probably just a bump of revision (from current 7 to 8), since it does not break API or ABI. https://verbump.de/ may also be of help. Related code: https://github.com/libwbxml/libwbxml/blob/master/CMakeLists.txt#L16-L33 |
Because the change of the namespace separator's is only internal and does not cause a change in API / ABI, it seems to me that there is no need to change If there is consent, I should prepare a record to |
Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
instead of hardcoded colon in the SyncML related code. Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
f171cb0
to
acc8912
Compare
Rebased to current head and added note to ChangeLog. |
@SlavekB I think we have a misunderstanding here. I agree that bumping
How to bump the soversion is non-trivial — there is an algorithm —, and is a key reason I created (1) https://verbump.de/ for help and (2) shared a simpler algorithm for anyone who likes to do it with "pen and paper" at https://blog.hartwork.org/posts/shared-library-version-bump/ . I'm hoping that at least one of these two can help answer the question what to bump current |
Yes, the version numbering of SO libraries is known to me. Therefore, I believe that this change is not necessary to be reflected on the soversion of the library, because it does not make any change of the library interface. |
… pipe. This solves compatibility with libexpat >= 2.4.5 after fix the security problem CVE-2022-25236. This resolves issue libwbxml#76. Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
acc8912
to
4425e80
Compare
@SlavekB if it is known to you, then you will agree that changes in source need a bump in soversion, once before the next release. What am I missing? |
@SlavekB with the help of https://verbump.de/ : |
You can notice in the git history that changes are not always reflected on From one view, this is a change that affects only internal behavior. From the second view, it provides compatibility with a newer version of libexpat, so it seems that it could be a good idea to be reflected on |
@SlavekB we seem to be on different boats with soversion'ing. I have said what I wanted to say, and don't want a fight about it or start repeating myself, so I will not reply to that last message in detail and just hope that whoever does the release does the right thing. |
I was thinking again. I agree that it seems more good reasons to increase Thank you for your revisions and comments. |
@SlavekB thanks for your last comment. I'm not aware of anything else needed. Thanks for your work on this pull request! 👍 |
Thanks for all the comments regarding the SO naming and sorry for being late to the party ;-) Potentially, I should add more context to my question right from the beginning. I know that the changes are fully API and ABI compatible with the version before and now comes the big but: the behaviour of already existing functions changed. If I play this really strict, it must be interpreted like removing and adding a new function call. The problem is, if I do this and change the SO versions accordingly, all old binaries would not use the new library and essentially as this is a security fix, they would stay vulnerable. Therefore, I think about to just increase REVISION and PATCH like you proposed to make the fix available to old binaries. My problem is, I have no clue what the maintainers from the distributions think about this and if I break any program with the changed namespace separator. |
As the pull request works perfectly, I'll merge it. Thanks a lot for your help! |
Please, do you already have a plan to release 0.11.8 containing these patches? |
Yes, I contacted some people from Debian and asked for their opinion on the SO naming. I have no final answer so far but they are aware of the Expat security issue, the Expat SO naming and the resulting trouble. |
@SlavekB - Do you have a deadline or pressing need for some reason (e.g. publicly available vulnerable system or something like this)? |
Potentially beside the SO naming, the required Expat version could/should be enforced. |
My interest in the new version is because of the fact that the Expat security update caused non-functional ActiveSync synchronization in SOGo – see: Bug 1006337 in Debian. In addition to official packages in Debian, I provide community repository with packages for the latest version of SOGo, so I'm interested in building libwbxml packages for this repository – see axis repository for SOGo. |
@bellmich could you elaborate how the internal change will affect users of libwbxml? If they never got to see strings containing colon as a separator returned by some API call, then the change is purely internal and not a breaking change. Is there any place like that in libwbxml?
@bellmich that seems unnecessary, it may even hurt people with backported patches where the version number is lower. Could you elaborate on the idea? |
@SlavekB FYI your patch is used in Gentoo by now (gentoo/gentoo@8b88021) |
If the library is used to convert WBXML into XML, the default namespace separator changed and this way, the XML output changed. The question is, are there any XML parsers who could be in trouble with the new namespace separator? As I didn't receive any feedback from Debian so far, I tend to go with your proposal, @SlavekB.
The idea came to me because it potentially help to reach a consistent security state. The new version would enforce an update to a secure version of Expat. Otherwise, a libwbxml version with a security fix could still lead to a vulnerable system because it can be used with a vulnerable Expat. If the idea is a bad one, I am open for feedback. I am just very over-carefully because it is a security fix. Sorry, if it sounds a little bit silly. |
@bellmich let's be sure we don't mixup two things under the term "namespace separator". We have:
So where libwbxml is writing XML, it can be nothing but colon, and in element handlers and in internal communication it has some flexibility to use e.g. a pipe ( CC @SlavekB |
My observation is that changing the separator has only an internal impact => this does not change the outputs to wbxml, nor to readable xml. And it does not seem to be some public API functions that would be affected by changing the separator. Therefore, my observation is that the change has no impact on any library public interface. |
Require a specific version of Expat containing security patches at build time does not seem good idea:
The settings of dependency for the binary packages is beyond the source code, so irrelevant to release a new version. |
Three parts are addressed:
See previous comments on issue #76.