[Expat-bugs] [ expat-Bugs-3500861 ] fix for CVE-2012-0876 breaks "xml" default prefix

SourceForge.net noreply at sourceforge.net
Sat Mar 10 03:37:43 CET 2012


Bugs item #3500861, was opened at 2012-03-09 18:37
Message generated for change (Tracker Item Submitted) made by marienz
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3500861&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Marien Zwart (marienz)
Assigned to: Nobody/Anonymous (nobody)
Summary: fix for CVE-2012-0876 breaks "xml" default prefix

Initial Comment:
expat-2.1.0-beta2 will fail a namespace-aware parse of a document relying on the "xml" being bound by default, like the following test document:

<?xml version="1.0"?>
<root xml:whitespace="preserve"/>

xmlwf -n on that document returns "2:0: unbound prefix", while xmlwf from expat 2.0.1 succeeds.

This seems to be caused by the call to setContext(parser, implicitContext) adding that default prefix happening too early (before hash_secret_salt is initialized).

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3500861&group_id=10127


More information about the Expat-bugs mailing list