at_la-random_rand_s.Plo -rm -f ./$(DEPDIR)/libtestpat_la-xmlparse.Plo -rm -f ./$(DEPDIR)/libtestpat_la-xmlrole.Plo -rm -f ./$(DEPDIR)/libtestpat_la-xmltok.Plo + -rm -f ./$(DEPDIR)/random_arc4random.Plo + -rm -f ./$(DEPDIR)/random_arc4random_buf.Plo + -rm -f ./$(DEPDIR)/random_dev_urandom.Plo + -rm -f ./$(DEPDIR)/random_getentropy.Plo + -rm -f ./$(DEPDIR)/random_getrandom.Plo + -rm -f ./$(DEPDIR)/random_rand_s.Plo -rm -f ./$(DEPDIR)/xmlparse.Plo -rm -f ./$(DEPDIR)/xmlrole.Plo -rm -f ./$(DEPDIR)/xmltok.Plo @@ -831,9 +961,21 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/libtestpat_la-random_arc4random.Plo + -rm -f ./$(DEPDIR)/libtestpat_la-random_arc4random_buf.Plo + -rm -f ./$(DEPDIR)/libtestpat_la-random_dev_urandom.Plo + -rm -f ./$(DEPDIR)/libtestpat_la-random_getentropy.Plo + -rm -f ./$(DEPDIR)/libtestpat_la-random_getrandom.Plo + -rm -f ./$(DEPDIR)/libtestpat_la-random_rand_s.Plo -rm -f ./$(DEPDIR)/libtestpat_la-xmlparse.Plo -rm -f ./$(DEPDIR)/libtestpat_la-xmlrole.Plo -rm -f ./$(DEPDIR)/libtestpat_la-xmltok.Plo + -rm -f ./$(DEPDIR)/random_arc4random.Plo + -rm -f ./$(DEPDIR)/random_arc4random_buf.Plo + -rm -f ./$(DEPDIR)/random_dev_urandom.Plo + -rm -f ./$(DEPDIR)/random_getentropy.Plo + -rm -f ./$(DEPDIR)/random_getrandom.Plo + -rm -f ./$(DEPDIR)/random_rand_s.Plo -rm -f ./$(DEPDIR)/xmlparse.Plo -rm -f ./$(DEPDIR)/xmlrole.Plo -rm -f ./$(DEPDIR)/xmltok.Plo diff --git a/contrib/expat/lib/expat.h b/contrib/expat/lib/expat.h index 18dbaebde293..79c609f19aa4 100644 --- a/contrib/expat/lib/expat.h +++ b/contrib/expat/lib/expat.h @@ -45,6 +45,7 @@ #ifndef Expat_INCLUDED # define Expat_INCLUDED 1 +# include // for uint8_t # include # include "expat_external.h" @@ -917,10 +918,21 @@ XML_SetParamEntityParsing(XML_Parser parser, function behavior. This must be called before parsing is started. Returns 1 if successful, 0 when called after parsing has started. Note: If parser == NULL, the function will do nothing and return 0. + DEPRECATED since Expat 2.8.0. */ XMLPARSEAPI(int) XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); +/* Sets the hash salt to use for internal hash calculations. + Helps in preventing DoS attacks based on predicting hash function behavior. + This must be called before parsing is started. + Returns XML_TRUE if successful, XML_FALSE when called after parsing has + started or when parser is NULL. + Added in Expat 2.8.0. +*/ +XMLPARSEAPI(XML_Bool) +XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]); + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then XML_GetErrorCode returns information about the error. */ @@ -1081,8 +1093,8 @@ XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled); See https://semver.org */ # define XML_MAJOR_VERSION 2 -# define XML_MINOR_VERSION 7 -# define XML_MICRO_VERSION 5 +# define XML_MINOR_VERSION 8 +# define XML_MICRO_VERSION 0 # ifdef __cplusplus } diff --git a/contrib/expat/lib/expat_external.h b/contrib/expat/lib/expat_external.h index d9ddeb612f6d..7f5c4c3aae4d 100644 --- a/contrib/expat/lib/expat_external.h +++ b/contrib/expat/lib/expat_external.h @@ -12,9 +12,10 @@ Copyright (c) 2001-2002 Greg Stein Copyright (c) 2002-2006 Karl Waclawek Copyright (c) 2016 Cristian Rodríguez - Copyright (c) 2016-2026 Sebastian Pipping + Copyright (c) 2016-2025 Sebastian Pipping Copyright (c) 2017 Rhodri James Copyright (c) 2018 Yury Gribov + Copyright (c) 2026 Matthew Fernandez Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -45,7 +46,7 @@ /* Expat tries very hard to make the API boundary very specifically defined. There are two macros defined to control this boundary; each of these can be defined before including this header to - achieve some different behavior, but doing so it not recommended or + achieve some different behavior, but doing so is not recommended or tested frequently. XMLCALL - The calling convention to use for all calls across the diff --git a/contrib/expat/lib/internal.h b/contrib/expat/lib/internal.h index 61266ebb7723..420d4217a569 100644 --- a/contrib/expat/lib/internal.h +++ b/contrib/expat/lib/internal.h @@ -28,7 +28,7 @@ Copyright (c) 2002-2003 Fred L. Drake, Jr. Copyright (c) 2002-2006 Karl Waclawek Copyright (c) 2003 Greg Stein - Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016-2026 Sebastian Pipping Copyright (c) 2018 Yury Gribov Copyright (c) 2019 David Loffredo Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow @@ -113,6 +113,7 @@ #if defined(_WIN32) \ && (! defined(__USE_MINGW_ANSI_STDIO) \ || (1 - __USE_MINGW_ANSI_STDIO - 1 == 0)) +# define EXPAT_FMT_LLX(midpart) "%" midpart "I64x" # define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" # if defined(_WIN64) // Note: modifiers "td" and "zu" do not work for MinGW # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" @@ -122,6 +123,7 @@ # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u" # endif #else +# define EXPAT_FMT_LLX(midpart) "%" midpart "llx" # define EXPAT_FMT_ULL(midpart) "%" midpart "llu" # if ! defined(ULONG_MAX) # error Compiler did not define ULONG_MAX for us diff --git a/contrib/expat/lib/libexpat.map.in b/contrib/expat/lib/libexpat.map.in index 52e59ed3d931..71a6758fd746 100644 --- a/contrib/expat/lib/libexpat.map.in +++ b/contrib/expat/lib/libexpat.map.in @@ -117,3 +117,8 @@ LIBEXPAT_2.7.2 { @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold; @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification; } LIBEXPAT_2.6.0; + +LIBEXPAT_2.8.0 { + global: + XML_SetHashSalt16Bytes; +} LIBEXPAT_2.7.2; diff --git a/contrib/expat/lib/random_arc4random.c b/contrib/expat/lib/random_arc4random.c new file mode 100644 index 000000000000..243fbbc82fda --- /dev/null +++ b/contrib/expat/lib/random_arc4random.c @@ -0,0 +1,56 @@ +/* + __ __ _ + ___\ \/ /_ __ __ _| |_ + / _ \\ /| '_ \ / _` | __| + | __// \| |_) | (_| | |_ + \___/_/\_\ .__/ \__,_|\__| + |_| XML parser + + Copyright (c) 2017-2026 Sebastian Pipping + Copyright (c) 2026 Matthew Fernandez + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE + USE OR OTHER DEALINGS IN THE SOFTWARE. +*/ + +#include "random_arc4random.h" + +#if ! defined(_DEFAULT_SOURCE) +# define _DEFAULT_SOURCE 1 /* for glibc */ +#endif + +#include // for uint32_t +#include // for arc4random *** 2045 LINES SKIPPED ***