cargo quick-xml 0.41.0
v0.41.0 - Secuirity fixes
on Rust Cargo

6 hours ago

What's Changed

New Features

  • #970: Add NsReader::resolver_mut() and NamespaceResolver::{max_declarations_per_element, set_max_declarations_per_element}.

Bug Fixes

  • #969: Attributes (and anything that iterates BytesStart::attributes() with the default with_checks(true)) no longer takes O(N²) time on a start tag with a large number of attributes. Small tags keep the previous linear scan; larger ones switch to a 64-bit hash pre-filter, so the whole tag is O(N). The exact AttrError::Duplicated(new, prev) positions are unchanged.
  • #970: NamespaceResolver::push (and hence every NsReader Start/Empty event) now rejects a start tag that declares more than DEFAULT_MAX_DECLARATIONS_PER_ELEMENT (256) xmlns / xmlns:* namespace bindings, returning the new NamespaceError::TooManyDeclarations. Previously push allocated one NamespaceBinding per declaration with no upper bound, before the event was returned to the caller, so an NsReader consumer could not bound its memory exposure on untrusted input. The limit is configurable via NamespaceResolver::set_max_declarations_per_element (use usize::MAX to disable).

New Contributors

Full Changelog: v0.40.1...v0.41.0

Check out latest releases or
releases around quick-xml 0.41.0

Don't miss a new quick-xml release

NewReleases is sending notifications on new releases.

Get notifications