[feedparser] Security patch

[Nick Lothian <ni...@gmail.com>]

Hi,

I'm a developer on the ROME RSS/Atom parser project
(http://rome.dev.java.net/). We were recently notified of a possible
security issue in our code
(http://www.somebits.com/weblog/tech/bad/xmlCode.html), which we've
fixed.

I'm aware that FeedParser is a dormant project, but the attached patch
will fix the same problem in the Apache-Commons project version.

I've also attached updated FeedParserImpl.java suitable for using with
Kevin's TailRank version (http://tailrank.com/code.php) (Hi Kevin!)

SAXBuilder.java is needed for both versions.

There is also an example RSS file which triggers the bug. (You'll need
some kind of monitoring tool to check for connections to example.com
on port 80).

Hopefully someone will find these useful.

Regards
  Nick Lothian
  nlothian@apache.org

Re: [feedparser] Security patch

[Nick Lothian <ni...@gmail.com>]

Did this get applied? I don't think I've seen the commit email

On 10/12/06, Martin van den Bemt <ml...@mvdb.net> wrote:
> I will apply the patch when no one beats me to it..
>
> Mvgr,
> Martin
>
> Nick Lothian wrote:
> >> >
> >> > I'm aware that FeedParser is a dormant project, but the attached patch
> >> > will fix the same problem in the Apache-Commons project version.
> >>
> >> FeedParser def isn't dormant....
> >>
> >> http://code.tailrank.com/feedparser
> >>
> >> I just haven't officially announced that I'm moving it out of Apache.
> >> Just
> >> been to busy with official work to be a good maintainer :-/
> >>
> >
> > Sorry - I didn't mean to imply that you aren't working on it - I know
> > you've made the Tailrank stream available.
> >
> > All I meant was that FeedParser is listed in
> > http://jakarta.apache.org/commons/dormant/index.html, which I believe
> > means that no one is actively maintaining the Apache version.
> >
> > Nick
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org

Re: [feedparser] Security patch

[Martin van den Bemt <ml...@mvdb.net>]

I will apply the patch when no one beats me to it..

Mvgr,
Martin

Nick Lothian wrote:
>> >
>> > I'm aware that FeedParser is a dormant project, but the attached patch
>> > will fix the same problem in the Apache-Commons project version.
>>
>> FeedParser def isn't dormant....
>>
>> http://code.tailrank.com/feedparser
>>
>> I just haven't officially announced that I'm moving it out of Apache.  
>> Just
>> been to busy with official work to be a good maintainer :-/
>>
> 
> Sorry - I didn't mean to imply that you aren't working on it - I know
> you've made the Tailrank stream available.
> 
> All I meant was that FeedParser is listed in
> http://jakarta.apache.org/commons/dormant/index.html, which I believe
> means that no one is actively maintaining the Apache version.
> 
> Nick
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org

Re: [feedparser] Security patch

[Nick Lothian <ni...@gmail.com>]

> >
> > I'm aware that FeedParser is a dormant project, but the attached patch
> > will fix the same problem in the Apache-Commons project version.
>
> FeedParser def isn't dormant....
>
> http://code.tailrank.com/feedparser
>
> I just haven't officially announced that I'm moving it out of Apache.  Just
> been to busy with official work to be a good maintainer :-/
>

Sorry - I didn't mean to imply that you aren't working on it - I know
you've made the Tailrank stream available.

All I meant was that FeedParser is listed in
http://jakarta.apache.org/commons/dormant/index.html, which I believe
means that no one is actively maintaining the Apache version.

Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org

Re: [feedparser] Security patch

[Kevin Burton <bu...@tailrank.com>]

On 10/10/06, Nick Lothian <ni...@gmail.com> wrote:
>
> Hi,
>
> I'm a developer on the ROME RSS/Atom parser project
> (http://rome.dev.java.net/). We were recently notified of a possible
> security issue in our code
> (http://www.somebits.com/weblog/tech/bad/xmlCode.html), which we've
> fixed.
>
> I'm aware that FeedParser is a dormant project, but the attached patch
> will fix the same problem in the Apache-Commons project version.


FeedParser def isn't dormant....

http://code.tailrank.com/feedparser

I just haven't officially announced that I'm moving it out of Apache.  Just
been to busy with official work to be a good maintainer :-/

I've also attached updated FeedParserImpl.java suitable for using with
> Kevin's TailRank version (http://tailrank.com/code.php) (Hi Kevin!)


Sweet.

SAXBuilder.java is needed for both versions.
>
> There is also an example RSS file which triggers the bug. (You'll need
> some kind of monitoring tool to check for connections to example.com
> on port 80).
>
> Hopefully someone will find these useful.


Interesting...... I'll take a look.

Thanks.

Kevin

-- 
Founder/CEO Tailrank.com
Location: San Francisco, CA
AIM/YIM: sfburtonator
Skype: burtonator
Blog: feedblog.org
Cell: 415-637-8078