Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KTOR-6286 Update xmlutil to 0.86.2 #3770

Merged
merged 1 commit into from
Oct 4, 2023
Merged

KTOR-6286 Update xmlutil to 0.86.2 #3770

merged 1 commit into from
Oct 4, 2023

Conversation

marychatte
Copy link
Member

KTOR-6286 We need to update xmlutil because in the previous version it was vulnerable to XXE attack

@marychatte marychatte self-assigned this Sep 29, 2023
@marychatte marychatte force-pushed the marychatte/KTOR-6286_XML_XXE branch from 05f8f73 to 7ce20af Compare September 29, 2023 14:13
@marychatte marychatte requested a review from e5l September 29, 2023 14:33
@marychatte marychatte merged commit 87181e4 into main Oct 4, 2023
@marychatte marychatte deleted the marychatte/KTOR-6286_XML_XXE branch October 4, 2023 10:16
e5l pushed a commit that referenced this pull request Oct 4, 2023
@marychatte @e5l
KTOR-6286 Update xmlutil to 0.86.2 (#3770)
3d53b99 
(cherry picked from commit 87181e4)
e5l added a commit that referenced this pull request Oct 4, 2023
@e5l @Sebmaster
@t-bast @renovate @marychatte
Release 2.3.5 (#3771)
51e7e5f 
* KTOR-6221: Fix reduced concurrent reqs in Apache5 (#3738)

When using the Apache5 engine, total concurrent requests to a single
route were limited to 5 requests. This is due to the code which tried to
increase the concurrency to the ktor-standard 1000 concurrent having a
typo and setting the total max connections twice and missing the max
connections
completely.

(cherry picked from commit fa5cba1)

* Avoid crashing when TLS TCP socket is closed (#3690)

* Avoid crashing when TLS TCP socket is closed

When using a plain TCP socket with TLS, two worker jobs are spawned:

- cio-tls-input-loop
- cio-tls-output-loop

These worker jobs live in their own scope, and exceptions they throw can't
easily be caught by the caller: the only option is to install a
`CoroutineExceptionHandler` for the whole TLS socket, which is quite hacky
and may hide bugs.

When the TCP socket is closed, this is only caught when trying to write
on the output channel, which throws a `ClosedSendChannelException`.
We now catch that exception and cleanly stop the background job.

Fixes https://youtrack.jetbrains.com/issue/KTOR-5178/TLSSocket-cannot-catch-the-exception-thrown-by-appDataOutputLoop
Fixes https://youtrack.jetbrains.com/issue/KTOR-4360/Android-Impossible-to-catch-the-ClosedSendChannelException-when-TLS-connection-socket-is-closed

* fixup! Avoid crashing when TLS TCP socket is closed

(cherry picked from commit 1905329)

* KTOR-6229 Fix hostname verification in CIO (#3746)

(cherry picked from commit 53fa31a)

* KTOR-5540 Fix darwin ws pong message (#3747)

* KTOR-5540 Fix darwin ws pong message

* Update ktor-client/ktor-client-darwin/darwin/test/DarwinEngineTest.kt

Co-authored-by: Vitor Hugo Schwaab <vitor@schwaab.dev>

---------

Co-authored-by: Rustam <rxsinukov@gmail.com>
Co-authored-by: Vitor Hugo Schwaab <vitor@schwaab.dev>

(cherry picked from commit 375b0d3)

* Update netty monorepo to v4.1.97.Final (#3627)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
(cherry picked from commit a0ae1eb)

* KTOR-6292 Make client use Dispatchers.IO by default (#3748)

* KTOR-6292 Make client use Dispatchers.IO by default

(cherry picked from commit a22852c)

* Update kotlin to 1.9.10 (#3761)

* Fix mingwX64 compilation

* Update kotlin to 1.9.10

* Fix CallLogging tests

* Fix js compilation

(cherry picked from commit 8a9f4a5)

* fixup! Update kotlin to 1.9.10 (#3761)

* KTOR-6286 Update xmlutil to 0.86.2 (#3770)

(cherry picked from commit 87181e4)

---------

Co-authored-by: Sebastian Mayr <smayr@atlassian.com>
Co-authored-by: Bastien Teinturier <31281497+t-bast@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Mariia Skripchenko <61115099+marychatte@users.noreply.github.com>
marychatte added a commit to jacekgajek/ktor that referenced this pull request Sep 5, 2024
@e5l @Sebmaster
@t-bast @renovate @marychatte
Release 2.3.5 (ktorio#3771)
9ddf001 
* KTOR-6221: Fix reduced concurrent reqs in Apache5 (ktorio#3738)

When using the Apache5 engine, total concurrent requests to a single
route were limited to 5 requests. This is due to the code which tried to
increase the concurrency to the ktor-standard 1000 concurrent having a
typo and setting the total max connections twice and missing the max
connections
completely.

(cherry picked from commit fa5cba1)

* Avoid crashing when TLS TCP socket is closed (ktorio#3690)

* Avoid crashing when TLS TCP socket is closed

When using a plain TCP socket with TLS, two worker jobs are spawned:

- cio-tls-input-loop
- cio-tls-output-loop

These worker jobs live in their own scope, and exceptions they throw can't
easily be caught by the caller: the only option is to install a
`CoroutineExceptionHandler` for the whole TLS socket, which is quite hacky
and may hide bugs.

When the TCP socket is closed, this is only caught when trying to write
on the output channel, which throws a `ClosedSendChannelException`.
We now catch that exception and cleanly stop the background job.

Fixes https://youtrack.jetbrains.com/issue/KTOR-5178/TLSSocket-cannot-catch-the-exception-thrown-by-appDataOutputLoop
Fixes https://youtrack.jetbrains.com/issue/KTOR-4360/Android-Impossible-to-catch-the-ClosedSendChannelException-when-TLS-connection-socket-is-closed

* fixup! Avoid crashing when TLS TCP socket is closed

(cherry picked from commit 1905329)

* KTOR-6229 Fix hostname verification in CIO (ktorio#3746)

(cherry picked from commit 53fa31a)

* KTOR-5540 Fix darwin ws pong message (ktorio#3747)

* KTOR-5540 Fix darwin ws pong message

* Update ktor-client/ktor-client-darwin/darwin/test/DarwinEngineTest.kt

Co-authored-by: Vitor Hugo Schwaab <vitor@schwaab.dev>

---------

Co-authored-by: Rustam <rxsinukov@gmail.com>
Co-authored-by: Vitor Hugo Schwaab <vitor@schwaab.dev>

(cherry picked from commit 375b0d3)

* Update netty monorepo to v4.1.97.Final (ktorio#3627)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
(cherry picked from commit a0ae1eb)

* KTOR-6292 Make client use Dispatchers.IO by default (ktorio#3748)

* KTOR-6292 Make client use Dispatchers.IO by default

(cherry picked from commit a22852c)

* Update kotlin to 1.9.10 (ktorio#3761)

* Fix mingwX64 compilation

* Update kotlin to 1.9.10

* Fix CallLogging tests

* Fix js compilation

(cherry picked from commit 8a9f4a5)

* fixup! Update kotlin to 1.9.10 (ktorio#3761)

* KTOR-6286 Update xmlutil to 0.86.2 (ktorio#3770)

(cherry picked from commit 87181e4)

---------

Co-authored-by: Sebastian Mayr <smayr@atlassian.com>
Co-authored-by: Bastien Teinturier <31281497+t-bast@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Mariia Skripchenko <61115099+marychatte@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@e5l e5l e5l approved these changes

Assignees

@marychatte marychatte

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marychatte @e5l