Merge pull request #2666 from sparklemotion/flavorjones-update-libxml…

…2-2.10.3 dep: update libxml2 to v2.10.3
sparklemotion · Oct 14, 2022 · 29c101e · 29c101e
2 parents 57d1a56 + 3ebb3b5
commit 29c101e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/dependencies.yml b/dependencies.yml
@@ -1,7 +1,7 @@
 libxml2:
-  version: "2.10.2"
-  sha256: "d240abe6da9c65cb1900dd9bf3a3501ccf88b3c2a1cb98317d03f272dda5b265"
-  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.2.sha256sum
+  version: "2.10.3"
+  sha256: "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.3.sha256sum
 
 libxslt:
   version: "1.1.37"

diff --git a/test/xml/sax/test_parser.rb b/test/xml/sax/test_parser.rb
@@ -437,7 +437,12 @@ def call_parse_io_with_encoding(encoding)
           parser = Nokogiri::XML::SAX::Parser.new(handler)
           parser.parse(xml)
 
-          assert_predicate(handler.errors, :empty?)
+          if Nokogiri.uses_libxml?(">=2.10.3")
+            # CVE-2022-40303 https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986
+            assert_match(/CData section too big/, handler.errors.first)
+          else
+            assert_predicate(handler.errors, :empty?)
+          end
         end
 
         it "does not resolve entities by default" do