Porting XERCESC-2052 fix to 3.1 branch

[Michael Behrisch <os...@behrisch.de>]

Hi,
I had a transcoding problem with Xerces-C and noticed that it has
already been described
https://issues.apache.org/jira/browse/XERCESC-2052 and fixed for more
than a year but not in the 3.1 branch.
So I took the liberty to port the fix and would be happy if it could be
released in a (hopefully soon) upcoming 3.1.5 or if 3.2 is just around
corner, this would be even better.

If this is not possible for any reason, would you mind (i.e. see major
security risks) when I try to add the patch at least to the rpm packages
of my favourite linux distro?

Best regards and thanks for providing Xerces-C,
Michael

RE: Porting XERCESC-2052 fix to 3.1 branch

["Cantor, Scott" <ca...@osu.edu>]

Don't know if the OP (cc'd) is still around but since I'm trying to get us moving toward a 3.2 release, I wanted to clarify this...

> So just for the record, the error is really a regression, it worked in
> 3.1.1 and the fix in trunk was this commit:

I don't see how this "worked" in 3.1.1, the patch in question:

> http://svn.apache.org/viewvc?view=revision&revision=1701594

Was applied only to trunk, not to 3.1.0/3.1.1, and the test case is only on trunk. It couldn't have been working on 3.1.1 or the "fix" is something else.

I was concerned that one of the security fixes to 3.1.2 and up broke something, and had filed this away to follow up before a 3.2.0, but this seems to be something else entirely, just a fix that didn't ever get done on the branch, and therefore can be closed out once we release trunk.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: Porting XERCESC-2052 fix to 3.1 branch

["Cantor, Scott" <ca...@osu.edu>]

> So just for the record, the error is really a regression, it worked in
> 3.1.1 and the fix in trunk was this commit:

That's even stronger evidence that I have no business touching that code, I'm afraid. So I would have to say that somebody who does know it needs to own it and take care of applying those fixes to the branch.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Porting XERCESC-2052 fix to 3.1 branch

[Michael Behrisch <os...@behrisch.de>]

Am 21.10.2016 um 02:39 schrieb Cantor, Scott:
>> I had a transcoding problem with Xerces-C and noticed that it has 
>> already been described 
>> https://issues.apache.org/jira/browse/XERCESC-2052 and fixed for 
>> more than a year but not in the 3.1 branch. So I took the liberty 
>> to port the fix and would be happy if it could be released in a 
>> (hopefully soon) upcoming 3.1.5 or if 3.2 is just around corner, 
>> this would be even better.
> 
> I ported a number of patches from trunk back to the branch when I 
> first jumped in to get security work done on the branch and put
> 3.1.2 out. This seems to have been filed against 3.1.2, so I don't
> think I ever saw that one, it probably wasn't brought to my attention
> and the bug entry doesn't have the fix outlined either. And I am
> generally terrified of touching transcoding code since I don't
> understand any of it, so that all explains why it wasn't backported.

So just for the record, the error is really a regression, it worked in
3.1.1 and the fix in trunk was this commit:
http://svn.apache.org/viewvc?view=revision&revision=1701594
Furthermore I could also reproduce it on Linux and it may be responsible
for this one https://issues.apache.org/jira/browse/XERCESC-2071, too.

> The major problem is that I have no way to test fixes to code I
> don't understand. That's the biggest problem, paralysis out of fear
> of breaking something.

There seems to be some kind of encoding tests at least I found that one
http://svn.apache.org/viewvc/xerces/c/trunk/tests/src/EncodingTest/
but I did not see any input files to this.

Thanks for taking care and reopening.

Best regards,
Michael

RE: Porting XERCESC-2052 fix to 3.1 branch

["Cantor, Scott" <ca...@osu.edu>]

> I had a transcoding problem with Xerces-C and noticed that it has
> already been described
> https://issues.apache.org/jira/browse/XERCESC-2052 and fixed for more
> than a year but not in the 3.1 branch.
> So I took the liberty to port the fix and would be happy if it could be
> released in a (hopefully soon) upcoming 3.1.5 or if 3.2 is just around
> corner, this would be even better.

I ported a number of patches from trunk back to the branch when I first jumped in to get security work done on the branch and put 3.1.2 out. This seems to have been filed against 3.1.2, so I don't think I ever saw that one, it probably wasn't brought to my attention and the bug entry doesn't have the fix outlined either. And I am generally terrified of touching transcoding code since I don't understand any of it, so that all explains why it wasn't backported.

The major problem is that I have no way to test fixes to code I don't understand. That's the biggest problem, paralysis out of fear of breaking something.

If somebody vouches for the fix, I don't have a problem applying it, but I can't possibly know whether the fix is safe beyond just taking somebody's word for it.

Either way, I'd advise attaching the patch to the bug, and I'll reopen it for now just to track that it hasn't been backported.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org