You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Nick Lothian <ni...@gmail.com> on 2006/10/11 07:50:57 UTC
[feedparser] Security patch
Hi,
I'm a developer on the ROME RSS/Atom parser project
(http://rome.dev.java.net/). We were recently notified of a possible
security issue in our code
(http://www.somebits.com/weblog/tech/bad/xmlCode.html), which we've
fixed.
I'm aware that FeedParser is a dormant project, but the attached patch
will fix the same problem in the Apache-Commons project version.
I've also attached updated FeedParserImpl.java suitable for using with
Kevin's TailRank version (http://tailrank.com/code.php) (Hi Kevin!)
SAXBuilder.java is needed for both versions.
There is also an example RSS file which triggers the bug. (You'll need
some kind of monitoring tool to check for connections to example.com
on port 80).
Hopefully someone will find these useful.
Regards
Nick Lothian
nlothian@apache.org
Re: [feedparser] Security patch
Posted by Nick Lothian <ni...@gmail.com>.
Did this get applied? I don't think I've seen the commit email
On 10/12/06, Martin van den Bemt <ml...@mvdb.net> wrote:
> I will apply the patch when no one beats me to it..
>
> Mvgr,
> Martin
>
> Nick Lothian wrote:
> >> >
> >> > I'm aware that FeedParser is a dormant project, but the attached patch
> >> > will fix the same problem in the Apache-Commons project version.
> >>
> >> FeedParser def isn't dormant....
> >>
> >> http://code.tailrank.com/feedparser
> >>
> >> I just haven't officially announced that I'm moving it out of Apache.
> >> Just
> >> been to busy with official work to be a good maintainer :-/
> >>
> >
> > Sorry - I didn't mean to imply that you aren't working on it - I know
> > you've made the Tailrank stream available.
> >
> > All I meant was that FeedParser is listed in
> > http://jakarta.apache.org/commons/dormant/index.html, which I believe
> > means that no one is actively maintaining the Apache version.
> >
> > Nick
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [feedparser] Security patch
Posted by Martin van den Bemt <ml...@mvdb.net>.
I will apply the patch when no one beats me to it..
Mvgr,
Martin
Nick Lothian wrote:
>> >
>> > I'm aware that FeedParser is a dormant project, but the attached patch
>> > will fix the same problem in the Apache-Commons project version.
>>
>> FeedParser def isn't dormant....
>>
>> http://code.tailrank.com/feedparser
>>
>> I just haven't officially announced that I'm moving it out of Apache.
>> Just
>> been to busy with official work to be a good maintainer :-/
>>
>
> Sorry - I didn't mean to imply that you aren't working on it - I know
> you've made the Tailrank stream available.
>
> All I meant was that FeedParser is listed in
> http://jakarta.apache.org/commons/dormant/index.html, which I believe
> means that no one is actively maintaining the Apache version.
>
> Nick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [feedparser] Security patch
Posted by Nick Lothian <ni...@gmail.com>.
> >
> > I'm aware that FeedParser is a dormant project, but the attached patch
> > will fix the same problem in the Apache-Commons project version.
>
> FeedParser def isn't dormant....
>
> http://code.tailrank.com/feedparser
>
> I just haven't officially announced that I'm moving it out of Apache. Just
> been to busy with official work to be a good maintainer :-/
>
Sorry - I didn't mean to imply that you aren't working on it - I know
you've made the Tailrank stream available.
All I meant was that FeedParser is listed in
http://jakarta.apache.org/commons/dormant/index.html, which I believe
means that no one is actively maintaining the Apache version.
Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [feedparser] Security patch
Posted by Kevin Burton <bu...@tailrank.com>.
On 10/10/06, Nick Lothian <ni...@gmail.com> wrote:
>
> Hi,
>
> I'm a developer on the ROME RSS/Atom parser project
> (http://rome.dev.java.net/). We were recently notified of a possible
> security issue in our code
> (http://www.somebits.com/weblog/tech/bad/xmlCode.html), which we've
> fixed.
>
> I'm aware that FeedParser is a dormant project, but the attached patch
> will fix the same problem in the Apache-Commons project version.
FeedParser def isn't dormant....
http://code.tailrank.com/feedparser
I just haven't officially announced that I'm moving it out of Apache. Just
been to busy with official work to be a good maintainer :-/
I've also attached updated FeedParserImpl.java suitable for using with
> Kevin's TailRank version (http://tailrank.com/code.php) (Hi Kevin!)
Sweet.
SAXBuilder.java is needed for both versions.
>
> There is also an example RSS file which triggers the bug. (You'll need
> some kind of monitoring tool to check for connections to example.com
> on port 80).
>
> Hopefully someone will find these useful.
Interesting...... I'll take a look.
Thanks.
Kevin
--
Founder/CEO Tailrank.com
Location: San Francisco, CA
AIM/YIM: sfburtonator
Skype: burtonator
Blog: feedblog.org
Cell: 415-637-8078