Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/xml: does not check namespace constraints that do not require keeping extra state #68296

Open
Tracked by #68293
DemiMarie opened this issue Jul 4, 2024 · 4 comments
Open
Tracked by #68293

encoding/xml: does not check namespace constraints that do not require keeping extra state #68296

DemiMarie opened this issue Jul 4, 2024 · 4 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@DemiMarie
Copy link
Contributor

DemiMarie commented Jul 4, 2024
edited
Loading

Go version

go version go1.21.11 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/user/.cache/go-build'
GOENV='/home/user/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/user/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/user/go'
GOPRIVATE=''
GOPROXY='direct'
GOROOT='/usr/lib/golang'
GOSUMDB='off'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/lib/golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.11'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3671854511=/tmp/go-build -gno-record-gcc-switches'

What did you do?

https://go.dev/play/p/FRIvYTU13fC

What did you see happen?

encoding/xml does not reject XML with the following violations of namespace constraints:

  1. Binding a URL other than http://www.w3.org/XML/1998/namespace to the prefix xml:

    <!-- Ill-formed: cannot bind prefix xml: to a URL other than
     http://www.w3.org/XML/1998/namespace -->
<a xmlns:xml="https://example.com"/>

  2. Binding http://www.w3.org/XML/1998/namespace to a prefix other than xml:

    <!-- Ill-formed: cannot bind a prefix other than xml: to
     http://www.w3.org/XML/1998/namespace -->
<a xmlns:a="http://www.w3.org/XML/1998/namespace"/>

  3. Declaring http://www.w3.org/XML/1998/namespace as the default namespace:

    <!-- Ill-formed: cannot declare http://www.w3.org/XML/1998/namespace
     as default namespace -->
<a xmlns="http://www.w3.org/XML/1998/namespace"/>

  4. Declaring the prefix xmlns, whether it is with the correct URL http://www.w3.org/2000/xmlns/

    <!-- Ill-formed: cannot declare xmlns: prefix -->
<a xmlns:xmlns="http://www.w3.org/2000/xmlns/"/>

    or with any other URL:

    <!-- Ill-formed: cannot declare xmlns: prefix -->
<a xmlns:xmlns="https://example.com"/>

  5. Binding the URL http://www.w3.org/2000/xmlns/ to any prefix:

    <!-- Ill-formed: cannot bind a prefix to
     http://www.w3.org/2000/xmlns/ -->
<a xmlns:a="http://www.w3.org/2000/xmlns/"/>

  6. Declaring http://www.w3.org/2000/xmlns/ as the default namespace:

    <!-- Ill-formed: cannot declare http://www.w3.org/2000/xmlns/
     as default namespace -->
<a xmlns="http://www.w3.org/2000/xmlns/"/>

  7. Using xmlns as the prefix for an element:

    <!-- Ill-formed: xmlns: cannot be the prefix of an element name -->
<xmlns:a/>

  8. Undeclaring a namespace prefix by binding the empty string

    <!-- Ill-formed: cannot bind a namespace to the empty string -->
<a xmlns:a=""/>

What did you expect to see?

encoding/xml should reject these violations, whether Token or RawToken are used. Detecting these violations can be done without maintaining any additional state and without resolving prefixes to namespace URLs.
@gabyhelp
Copy link

gabyhelp commented Jul 4, 2024

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp mentioned this issue Jul 4, 2024
Open
This was referenced Jul 4, 2024
Open
Open
Open
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 8, 2024
@cagedmantis cagedmantis added this to the Backlog milestone Jul 8, 2024
@cagedmantis
Copy link
Contributor

@rsc

@cagedmantis
Copy link
Contributor

Please note this related comment #68293 (comment)

@DemiMarie
Copy link
Contributor Author

Please note this related comment #68293 (comment)

#68299 is that proposal

This was referenced Jul 9, 2024
Open
Open
@gabyhelp gabyhelp mentioned this issue Jul 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@cagedmantis @DemiMarie @gabyhelp