Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/xml: does not reject forbidden processing instruction names #68499

Open
Tracked by #68293
DemiMarie opened this issue Jul 17, 2024 · 2 comments · May be fixed by #69201
Open
Tracked by #68293

encoding/xml: does not reject forbidden processing instruction names #68499

DemiMarie opened this issue Jul 17, 2024 · 2 comments · May be fixed by #69201
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@DemiMarie
Copy link
Contributor

Go version

1.22

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/user/.cache/go-build'
GOENV='/home/user/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/user/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/user/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/user/go/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/user/go/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='devel go1.23-071b8d51c1a70fa6b12f0bed2e93370e193333fd Fri Jul 12 22:42:17 2024  0000'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/user/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g  '
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2107157220=/tmp/go-build -gno-record-gcc-switches'

What did you do?

https://go.dev/play/p/ldTeErDvu3t

package main

import "encoding/xml"

func main() {
	err := xml.Unmarshal([]byte(`<?a /b?><a/>`), new(interface{}))
	if err != nil {
		panic("well-formed XML rejected")
	}
	err = xml.Unmarshal([]byte(`<?xmla b?><a/>`), new(interface{}))
	if err == nil {
		panic("forbidden processing instruction name accepted")
	}
}

What did you see happen?

Ill-formed XMl with forbidden processing instruction name accepted.

What did you expect to see?

Ill-formed XMl with forbidden processing instruction name rejected.
@DemiMarie DemiMarie mentioned this issue Jul 17, 2024
Open
14 tasks
@gabyhelp
Copy link

Related Issues and Documentation

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 17, 2024
@cherrymui cherrymui added this to the Backlog milestone Jul 17, 2024
DemiMarie added a commit to DemiMarie/go that referenced this issue Sep 1, 2024
@DemiMarie
encoding/xml: reject processing instructions with reserved names
1adf826 
This is required by the spec.

Fixes: golang#68499
@DemiMarie DemiMarie linked a pull request Sep 1, 2024 that will close this issue
Open
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/610058 mentions this issue: encoding/xml: reject processing instructions with reserved names

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

encoding/xml: reject processing instructions with reserved names DemiMarie/go
4 participants
@DemiMarie @gopherbot @cherrymui @gabyhelp