Discussion:
Porting XERCESC-2052 fix to 3.1 branch
Michael Behrisch
2016-10-20 21:16:43 UTC
Permalink
Hi,
I had a transcoding problem with Xerces-C and noticed that it has
already been described
https://issues.apache.org/jira/browse/XERCESC-2052 and fixed for more
than a year but not in the 3.1 branch.
So I took the liberty to port the fix and would be happy if it could be
released in a (hopefully soon) upcoming 3.1.5 or if 3.2 is just around
corner, this would be even better.

If this is not possible for any reason, would you mind (i.e. see major
security risks) when I try to add the patch at least to the rpm packages
of my favourite linux distro?

Best regards and thanks for providing Xerces-C,
Michael
Cantor, Scott
2016-10-21 00:39:38 UTC
Permalink
Post by Michael Behrisch
I had a transcoding problem with Xerces-C and noticed that it has
already been described
https://issues.apache.org/jira/browse/XERCESC-2052 and fixed for more
than a year but not in the 3.1 branch.
So I took the liberty to port the fix and would be happy if it could be
released in a (hopefully soon) upcoming 3.1.5 or if 3.2 is just around
corner, this would be even better.
I ported a number of patches from trunk back to the branch when I first jumped in to get security work done on the branch and put 3.1.2 out. This seems to have been filed against 3.1.2, so I don't think I ever saw that one, it probably wasn't brought to my attention and the bug entry doesn't have the fix outlined either. And I am generally terrified of touching transcoding code since I don't understand any of it, so that all explains why it wasn't backported.

The major problem is that I have no way to test fixes to code I don't understand. That's the biggest problem, paralysis out of fear of breaking something.

If somebody vouches for the fix, I don't have a problem applying it, but I can't possibly know whether the fix is safe beyond just taking somebody's word for it.

Either way, I'd advise attaching the patch to the bug, and I'll reopen it for now just to track that it hasn't been backported.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
Michael Behrisch
2016-10-21 06:02:20 UTC
Permalink
Post by Cantor, Scott
Post by Michael Behrisch
I had a transcoding problem with Xerces-C and noticed that it has
already been described
https://issues.apache.org/jira/browse/XERCESC-2052 and fixed for
more than a year but not in the 3.1 branch. So I took the liberty
to port the fix and would be happy if it could be released in a
(hopefully soon) upcoming 3.1.5 or if 3.2 is just around corner,
this would be even better.
I ported a number of patches from trunk back to the branch when I
first jumped in to get security work done on the branch and put
3.1.2 out. This seems to have been filed against 3.1.2, so I don't
think I ever saw that one, it probably wasn't brought to my attention
and the bug entry doesn't have the fix outlined either. And I am
generally terrified of touching transcoding code since I don't
understand any of it, so that all explains why it wasn't backported.
So just for the record, the error is really a regression, it worked in
3.1.1 and the fix in trunk was this commit:
http://svn.apache.org/viewvc?view=revision&revision=1701594
Furthermore I could also reproduce it on Linux and it may be responsible
for this one https://issues.apache.org/jira/browse/XERCESC-2071, too.
Post by Cantor, Scott
The major problem is that I have no way to test fixes to code I
don't understand. That's the biggest problem, paralysis out of fear
of breaking something.
There seems to be some kind of encoding tests at least I found that one
http://svn.apache.org/viewvc/xerces/c/trunk/tests/src/EncodingTest/
but I did not see any input files to this.

Thanks for taking care and reopening.

Best regards,
Michael
Cantor, Scott
2016-10-21 12:57:09 UTC
Permalink
Post by Michael Behrisch
So just for the record, the error is really a regression, it worked in
That's even stronger evidence that I have no business touching that code, I'm afraid. So I would have to say that somebody who does know it needs to own it and take care of applying those fixes to the branch.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
Cantor, Scott
2017-07-17 20:17:38 UTC
Permalink
Don't know if the OP (cc'd) is still around but since I'm trying to get us moving toward a 3.2 release, I wanted to clarify this...
Post by Michael Behrisch
So just for the record, the error is really a regression, it worked in
http://svn.apache.org/viewvc?view=revision&revision=1701594
Was applied only to trunk, not to 3.1.0/3.1.1, and the test case is only on trunk. It couldn't have been working on 3.1.1 or the "fix" is something else.

I was concerned that one of the security fixes to 3.1.2 and up broke something, and had filed this away to follow up before a 3.2.0, but this seems to be something else entirely, just a fix that didn't ever get done on the branch, and therefore can be closed out once we release trunk.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org

Loading...