intermediate changes

ref:1d2cbda2e7c6bc330948772f6a0d51b2fa37ffb6

build/ya.conf.json

@@ -8338,7 +8338,7 @@
         },
         "bigb_bb_cluster_analyzer": {
             "formula": {
-                "sandbox_id": 1234469475,
+                "sandbox_id": 1235586581,
                 "match": "bb_cluster_analyzer"
             },
             "executable": {
@@ -8349,7 +8349,7 @@
         },
         "bigb_yt_profiles_dumper": {
             "formula": {
-                "sandbox_id": 1234469079,
+                "sandbox_id": 1235586542,
                 "match": "yt_profiles_dumper"
             },
             "executable": {
@@ -8360,7 +8360,7 @@
         },
         "bigb_ab": {
             "formula": {
-                "sandbox_id": 1234469075,
+                "sandbox_id": 1235586615,
                 "match": "ab"
             },
             "executable": {
@@ -8384,7 +8384,7 @@
         },
         "caesar_yt_sync": {
             "formula": {
-                "sandbox_id": 1234469089,
+                "sandbox_id": 1235584963,
                 "match": "yt_sync"
             },
             "executable": {
@@ -8395,7 +8395,7 @@
         },
         "caesar_lookup_profile": {
             "formula": {
-                "sandbox_id": 1234467836,
+                "sandbox_id": 1235588416,
                 "match": "lookup_profile"
             },
             "executable": {
@@ -8417,7 +8417,7 @@
         },
         "caesar_profile_size_analyzer": {
             "formula": {
-                "sandbox_id": 1234467754,
+                "sandbox_id": 1235585590,
                 "match": "profile_size_analyzer"
             },
             "executable": {

contrib/libs/expat/.yandex_meta/devtools.copyrights.report

@@ -69,7 +69,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
+        expat.h [9:19]
         expat_external.h [9:18]
         lib/xmlrole.c [9:19]
         lib/xmltok.c [9:24]
@@ -84,9 +84,19 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmltok_impl.c [9:19]
 
+KEEP     COPYRIGHT_SERVICE_LABEL 17566be0ee85deadbd5b2fcedc8b66a9
+BELONGS ya.make
+    Note: matched license text is too long. Read it in the source files.
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        lib/xmlparse.c [9:38]
+
 KEEP     COPYRIGHT_SERVICE_LABEL 1916cbefc2e0a780a3d503ba26f3780a
 BELONGS ya.make
     Note: matched license text is too long. Read it in the source files.
@@ -118,7 +128,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmltok.c [9:24]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 262c58e3a627f5cee77a882379e1364f
@@ -140,7 +150,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 338b8ad8ee9b8449a90a88a0559aefd9
 BELONGS ya.make
@@ -150,7 +160,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 387a03e23bfe968e0bc1919b0ef65164
 BELONGS ya.make
@@ -170,7 +180,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 4010f67351b9e656cc500aa367c0c393
 BELONGS ya.make
@@ -180,10 +190,20 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmlrole.c [9:19]
         lib/xmltok.c [9:24]
 
+KEEP     COPYRIGHT_SERVICE_LABEL 50da2a76d12ee3df6d928d81ca59a715
+BELONGS ya.make
+    Note: matched license text is too long. Read it in the source files.
+    Scancode info:
+        Original SPDX id: COPYRIGHT_SERVICE_LABEL
+        Score           : 100.00
+        Match type      : COPYRIGHT
+    Files with this license:
+        expat.h [9:19]
+
 KEEP     COPYRIGHT_SERVICE_LABEL 52b42ccd5b2debda3846c7aad55185e7
 BELONGS ya.make
     Note: matched license text is too long. Read it in the source files.
@@ -235,8 +255,8 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
-        lib/xmlparse.c [9:37]
+        expat.h [9:19]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 6451d5e490271b354ad3b567c7a03423
 BELONGS ya.make
@@ -246,7 +266,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 660431f3ef648d1a8e72ca1d307af738
 BELONGS ya.make
@@ -256,7 +276,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 671a3fd18ec8f4a472b12e1ee2d0c616
 BELONGS ya.make
@@ -286,7 +306,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 7c09099ef5f35bf3be4611e6cbb14510
 BELONGS ya.make
@@ -306,7 +326,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
+        expat.h [9:19]
         expat_external.h [9:18]
         lib/ascii.h [9:14]
         lib/asciitab.h [9:13]
@@ -315,7 +335,7 @@ BELONGS ya.make
         lib/nametab.h [9:11]
         lib/utf8tab.h [9:13]
         lib/winconfig.h [9:13]
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmlrole.c [9:19]
         lib/xmlrole.h [9:14]
         lib/xmltok.c [9:24]
@@ -356,7 +376,7 @@ BELONGS ya.make
         Match type      : COPYRIGHT
     Files with this license:
         lib/internal.h [28:34]
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmlrole.c [9:19]
         lib/xmltok.c [9:24]
         lib/xmltok_impl.c [9:19]
@@ -369,9 +389,9 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
+        expat.h [9:19]
         expat_external.h [9:18]
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL a0fdd1392c0b9b2558b9ccfe44592143
 BELONGS ya.make
@@ -411,7 +431,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL aafe06df8255f48781ac9d4e96e1ea4e
 BELONGS ya.make
@@ -421,8 +441,8 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
-        lib/xmlparse.c [9:37]
+        expat.h [9:19]
+        lib/xmlparse.c [9:38]
         lib/xmltok.c [9:24]
         lib/xmltok_impl.c [9:19]
 
@@ -434,7 +454,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL ac721fcd634b3e5674a847f5ed2f1c8e
 BELONGS ya.make
@@ -444,8 +464,8 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
-        lib/xmlparse.c [9:37]
+        expat.h [9:19]
+        lib/xmlparse.c [9:38]
         lib/xmltok.c [9:24]
         lib/xmltok_impl.c [9:19]
 
@@ -457,7 +477,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL b646d644160a51f7f42f9fd9f89d8b3f
 BELONGS ya.make
@@ -477,7 +497,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmlrole.c [9:19]
         lib/xmltok.c [9:24]
 
@@ -525,13 +545,13 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
+        expat.h [9:19]
         expat_external.h [9:18]
         lib/asciitab.h [9:13]
         lib/iasciitab.h [9:13]
         lib/latin1tab.h [9:13]
         lib/utf8tab.h [9:13]
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmlrole.c [9:19]
         lib/xmlrole.h [9:14]
         lib/xmltok.c [9:24]
@@ -548,7 +568,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL d548c6beaeae204247905b60d5feff91
 BELONGS ya.make
@@ -558,7 +578,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
         lib/xmltok_impl.c [9:19]
 
 KEEP     COPYRIGHT_SERVICE_LABEL dd3c5623e58aa85a367a6638299f50f3
@@ -569,7 +589,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL dfa8addb3a892dd8d176def4d3f0d567
 BELONGS ya.make
@@ -589,7 +609,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL e3d6c1b6030b59aad9996cc0a9efeda5
 BELONGS ya.make
@@ -599,7 +619,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL e8d75752f30998b89994f01f786353a2
 BELONGS ya.make
@@ -621,7 +641,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL ef0dda0153a00710149f327147a79b7f
 BELONGS ya.make
@@ -631,7 +651,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
+        expat.h [9:19]
 
 KEEP     COPYRIGHT_SERVICE_LABEL ef4a1bf87c0e9671b2e7497bc1fcfd12
 BELONGS ya.make
@@ -641,7 +661,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        expat.h [9:18]
+        expat.h [9:19]
         expat_external.h [9:18]
 
 KEEP     COPYRIGHT_SERVICE_LABEL f385189c52b8d4beb4f02b45629c23db
@@ -652,7 +672,7 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]
 
 KEEP     COPYRIGHT_SERVICE_LABEL fea018c6e4e19bc6bd4ac263c015567a
 BELONGS ya.make
@@ -680,4 +700,4 @@ BELONGS ya.make
         Score           : 100.00
         Match type      : COPYRIGHT
     Files with this license:
-        lib/xmlparse.c [9:37]
+        lib/xmlparse.c [9:38]

contrib/libs/expat/.yandex_meta/devtools.licenses.report

@@ -42,7 +42,7 @@ BELONGS ya.make
 
 KEEP     MIT                  6bb6514a1d779748b76a73215a89ae66
 BELONGS ya.make
-FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at line 34, lib/ascii.h at line 30, lib/asciitab.h at line 29, lib/iasciitab.h at line 29, lib/internal.h at line 50, lib/latin1tab.h at line 29, lib/utf8tab.h at line 29, lib/winconfig.h at line 29, lib/xmlparse.c at line 53, lib/xmlrole.c at line 35, lib/xmlrole.h at line 30, lib/xmltok.c at line 40, lib/xmltok.h at line 31, lib/xmltok_impl.c at line 35, lib/xmltok_impl.h at line 28, lib/xmltok_ns.c at line 31
+FILE_INCLUDE AUTHORS found in files: expat.h at line 35, expat_external.h at line 34, lib/ascii.h at line 30, lib/asciitab.h at line 29, lib/iasciitab.h at line 29, lib/internal.h at line 50, lib/latin1tab.h at line 29, lib/utf8tab.h at line 29, lib/winconfig.h at line 29, lib/xmlparse.c at line 54, lib/xmlrole.c at line 35, lib/xmlrole.h at line 30, lib/xmltok.c at line 40, lib/xmltok.h at line 31, lib/xmltok_impl.c at line 35, lib/xmltok_impl.h at line 28, lib/xmltok_ns.c at line 31
     Note: matched license text is too long. Read it in the source files.
     Scancode info:
         Original SPDX id: MIT
@@ -50,7 +50,7 @@ FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at lin
         Match type      : TEXT
         Links           : http://opensource.org/licenses/mit-license.php, https://spdx.org/licenses/MIT
     Files with this license:
-        expat.h [20:37]
+        expat.h [21:38]
         expat_external.h [20:37]
         lib/ascii.h [16:33]
         lib/asciitab.h [15:32]
@@ -59,7 +59,7 @@ FILE_INCLUDE AUTHORS found in files: expat.h at line 34, expat_external.h at lin
         lib/latin1tab.h [15:32]
         lib/utf8tab.h [15:32]
         lib/winconfig.h [15:32]
-        lib/xmlparse.c [39:56]
+        lib/xmlparse.c [40:57]
         lib/xmlrole.c [21:38]
         lib/xmlrole.h [16:33]
         lib/xmltok.c [26:43]
@@ -90,7 +90,7 @@ BELONGS ya.make
         Match type      : NOTICE
         Links           : http://opensource.org/licenses/mit-license.php, https://spdx.org/licenses/MIT
     Files with this license:
-        expat.h [18:18]
+        expat.h [19:19]
         expat_external.h [18:18]
         lib/ascii.h [14:14]
         lib/asciitab.h [13:13]
@@ -100,7 +100,7 @@ BELONGS ya.make
         lib/nametab.h [11:11]
         lib/utf8tab.h [13:13]
         lib/winconfig.h [13:13]
-        lib/xmlparse.c [37:37]
+        lib/xmlparse.c [38:38]
         lib/xmlrole.c [19:19]
         lib/xmlrole.h [14:14]
         lib/xmltok.c [24:24]

contrib/libs/expat/.yandex_meta/licenses.list.txt

@@ -25,6 +25,7 @@
    Copyright (c) 2016      Cristian Rodríguez <crrodriguez@opensuse.org>
    Copyright (c) 2016      Thomas Beutlich <tc@tbeu.de>
    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
+   Copyright (c) 2022      Thijs Schreijer <thijs@thijsschreijer.nl>
    Licensed under the MIT license:
 
 
@@ -57,6 +58,7 @@
    Copyright (c) 2019      Vadim Zeitlin <vadim@zeitlins.org>
    Copyright (c) 2021      Dong-hee Na <donghee.na@python.org>
    Copyright (c) 2022      Samanta Navarro <ferivoz@riseup.net>
+   Copyright (c) 2022      Jeffrey Walton <noloader@gmail.com>
    Licensed under the MIT license:
 
 

contrib/libs/expat/Changes

@@ -2,6 +2,40 @@ NOTE: We are looking for help with a few things:
       https://github.com/libexpat/libexpat/labels/help%20wanted
       If you can help, please get in touch.  Thanks!
 
+Release 2.4.7 Fri March 4 2022
+        Bug fixes:
+       #572 #577  Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
+                    with regard to all valid URI characters (RFC 3986),
+                    i.e. the following set (excluding whitespace):
+                    ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
+                    0123456789 % -._~ :/?#[]@ !$&'()*+,;=
+
+        Other changes:
+  #555 #570 #581  CMake|Windows: Store Expat version in the DLL
+            #577  Document consequences of namespace separator choices not just
+                    in doc/reference.html but also in header <expat.h>
+            #577  Document Expat's lack of validation of namespace URIs against
+                    RFC 3986, and that the XML 1.0r4 specification doesn't
+                    require Expat to validate namespace URIs, and that Expat
+                    may do more in that regard in future releases.
+                    If you find need for strict RFC 3986 URI validation on
+                    application level today, https://uriparser.github.io/ may
+                    be of interest.
+            #579  Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
+            #575  Document that a call to XML_FreeContentModel can be done at
+                    a later time from outside the element declaration handler
+            #574  Make hardcoded namespace URIs easier to find in code
+            #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
+       #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
+                    4.8.2 on Solaris.
+       #578 #580  Version info bumped from 9:6:8 to 9:7:8;
+                    see https://verbump.de/ for what these numbers do
+
+        Special thanks to:
+            Jeffrey Walton
+            Johnny Jazeix
+            Thijs Schreijer
+
 Release 2.4.6 Sun February 20 2022
         Bug fixes:
             #566  Fix a regression introduced by the fix for CVE-2022-25313

contrib/libs/expat/README.md

@@ -5,7 +5,7 @@
 [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases)
 
 
-# Expat, Release 2.4.6
+# Expat, Release 2.4.7
 
 This is Expat, a C library for parsing XML, started by
 [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997.

contrib/libs/expat/expat.h

@@ -15,6 +15,7 @@
    Copyright (c) 2016      Cristian Rodríguez <crrodriguez@opensuse.org>
    Copyright (c) 2016      Thomas Beutlich <tc@tbeu.de>
    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
+   Copyright (c) 2022      Thijs Schreijer <thijs@thijsschreijer.nl>
    Licensed under the MIT license:
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -174,8 +175,10 @@ struct XML_cp {
 };
 
 /* This is called for an element declaration. See above for
-   description of the model argument. It's the caller's responsibility
-   to free model when finished with it.
+   description of the model argument. It's the user code's responsibility
+   to free model when finished with it. See XML_FreeContentModel.
+   There is no need to free the model from the handler, it can be kept
+   around and freed at a later stage.
 */
 typedef void(XMLCALL *XML_ElementDeclHandler)(void *userData,
                                               const XML_Char *name,
@@ -237,6 +240,17 @@ XML_ParserCreate(const XML_Char *encoding);
    and the local part will be concatenated without any separator.
    It is a programming error to use the separator '\0' with namespace
    triplets (see XML_SetReturnNSTriplet).
+   If a namespace separator is chosen that can be part of a URI or
+   part of an XML name, splitting an expanded name back into its
+   1, 2 or 3 original parts on application level in the element handler
+   may end up vulnerable, so these are advised against;  sane choices for
+   a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
+
+   Note that Expat does not validate namespace URIs (beyond encoding)
+   against RFC 3986 today (and is not required to do so with regard to
+   the XML 1.0 namespaces specification) but it may start doing that
+   in future releases.  Before that, an application using Expat must
+   be ready to receive namespace URIs containing non-URI characters.
 */
 XMLPARSEAPI(XML_Parser)
 XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
@@ -317,7 +331,7 @@ typedef void(XMLCALL *XML_StartDoctypeDeclHandler)(void *userData,
                                                    const XML_Char *pubid,
                                                    int has_internal_subset);
 
-/* This is called for the start of the DOCTYPE declaration when the
+/* This is called for the end of the DOCTYPE declaration when the
    closing > is encountered, but after processing any external
    subset.
 */
@@ -1041,7 +1055,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
 */
 #define XML_MAJOR_VERSION 2
 #define XML_MINOR_VERSION 4
-#define XML_MICRO_VERSION 6
+#define XML_MICRO_VERSION 7
 
 #ifdef __cplusplus
 }

contrib/libs/expat/expat_config.h

@@ -77,7 +77,7 @@
 #define PACKAGE_NAME "expat"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "expat 2.4.6"
+#define PACKAGE_STRING "expat 2.4.7"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "expat"
@@ -86,7 +86,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "2.4.6"
+#define PACKAGE_VERSION "2.4.7"
 
 /* Define to 1 if all of the C90 standard headers exist (not just the ones
    required in a freestanding environment). This macro is provided for
@@ -94,7 +94,7 @@
 #define STDC_HEADERS 1
 
 /* Version number of package */
-#define VERSION "2.4.6"
+#define VERSION "2.4.7"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */

contrib/libs/expat/lib/xmlparse.c

@@ -1,4 +1,4 @@
-/* a30d2613dcfdef81475a9d1a349134d2d42722172fdaa7d5bb12ed2aa74b9596 (2.4.6+)
+/* fcb1a62fefa945567301146eb98e3ad3413e823a41c4378e84e8b6b6f308d824 (2.4.7+)
                             __  __            _
                          ___\ \/ /_ __   __ _| |_
                         / _ \\  /| '_ \ / _` | __|
@@ -34,6 +34,7 @@
    Copyright (c) 2019      Vadim Zeitlin <vadim@zeitlins.org>
    Copyright (c) 2021      Dong-hee Na <donghee.na@python.org>
    Copyright (c) 2022      Samanta Navarro <ferivoz@riseup.net>
+   Copyright (c) 2022      Jeffrey Walton <noloader@gmail.com>
    Licensed under the MIT license:
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -133,7 +134,7 @@
       * BSD / macOS (including <10.7) (arc4random): HAVE_ARC4RANDOM, \
       * libbsd (arc4random_buf): HAVE_ARC4RANDOM_BUF + HAVE_LIBBSD, \
       * libbsd (arc4random): HAVE_ARC4RANDOM + HAVE_LIBBSD, \
-      * Linux (including <3.17) / BSD / macOS (including <10.7) (/dev/urandom): XML_DEV_URANDOM, \
+      * Linux (including <3.17) / BSD / macOS (including <10.7) / Solaris >=8 (/dev/urandom): XML_DEV_URANDOM, \
       * Windows >=Vista (rand_s): _WIN32. \
     \
     If insist on not using any of these, bypass this error by defining \
@@ -722,6 +723,7 @@ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
   return XML_ParserCreate_MM(encodingName, NULL, tmp);
 }
 
+// "xml=http://www.w3.org/XML/1998/namespace"
 static const XML_Char implicitContext[]
     = {ASCII_x,     ASCII_m,     ASCII_l,      ASCII_EQUALS, ASCII_h,
        ASCII_t,     ASCII_t,     ASCII_p,      ASCII_COLON,  ASCII_SLASH,
@@ -3704,12 +3706,124 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
   return XML_ERROR_NONE;
 }
 
+static XML_Bool
+is_rfc3986_uri_char(XML_Char candidate) {
+  // For the RFC 3986 ANBF grammar see
+  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
+
+  switch (candidate) {
+  // From rule "ALPHA" (uppercase half)
+  case 'A':
+  case 'B':
+  case 'C':
+  case 'D':
+  case 'E':
+  case 'F':
+  case 'G':
+  case 'H':
+  case 'I':
+  case 'J':
+  case 'K':
+  case 'L':
+  case 'M':
+  case 'N':
+  case 'O':
+  case 'P':
+  case 'Q':
+  case 'R':
+  case 'S':
+  case 'T':
+  case 'U':
+  case 'V':
+  case 'W':
+  case 'X':
+  case 'Y':
+  case 'Z':
+
+  // From rule "ALPHA" (lowercase half)
+  case 'a':
+  case 'b':
+  case 'c':
+  case 'd':
+  case 'e':
+  case 'f':
+  case 'g':
+  case 'h':
+  case 'i':
+  case 'j':
+  case 'k':
+  case 'l':
+  case 'm':
+  case 'n':
+  case 'o':
+  case 'p':
+  case 'q':
+  case 'r':
+  case 's':
+  case 't':
+  case 'u':
+  case 'v':
+  case 'w':
+  case 'x':
+  case 'y':
+  case 'z':
+
+  // From rule "DIGIT"
+  case '0':
+  case '1':
+  case '2':
+  case '3':
+  case '4':
+  case '5':
+  case '6':
+  case '7':
+  case '8':
+  case '9':
+
+  // From rule "pct-encoded"
+  case '%':
+
+  // From rule "unreserved"
+  case '-':
+  case '.':
+  case '_':
+  case '~':
+
+  // From rule "gen-delims"
+  case ':':
+  case '/':
+  case '?':
+  case '#':
+  case '[':
+  case ']':
+  case '@':
+
+  // From rule "sub-delims"
+  case '!':
+  case '$':
+  case '&':
+  case '\'':
+  case '(':
+  case ')':
+  case '*':
+  case '+':
+  case ',':
+  case ';':
+  case '=':
+    return XML_TRUE;
+
+  default:
+    return XML_FALSE;
+  }
+}
+
 /* addBinding() overwrites the value of prefix->binding without checking.
    Therefore one must keep track of the old value outside of addBinding().
 */
 static enum XML_Error
 addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
            const XML_Char *uri, BINDING **bindingsPtr) {
+  // "http://www.w3.org/XML/1998/namespace"
   static const XML_Char xmlNamespace[]
       = {ASCII_h,      ASCII_t,     ASCII_t,     ASCII_p,      ASCII_COLON,
          ASCII_SLASH,  ASCII_SLASH, ASCII_w,     ASCII_w,      ASCII_w,
@@ -3720,6 +3834,7 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
          ASCII_e,      ASCII_s,     ASCII_p,     ASCII_a,      ASCII_c,
          ASCII_e,      '\0'};
   static const int xmlLen = (int)sizeof(xmlNamespace) / sizeof(XML_Char) - 1;
+  // "http://www.w3.org/2000/xmlns/"
   static const XML_Char xmlnsNamespace[]
       = {ASCII_h,     ASCII_t,      ASCII_t, ASCII_p, ASCII_COLON,  ASCII_SLASH,
          ASCII_SLASH, ASCII_w,      ASCII_w, ASCII_w, ASCII_PERIOD, ASCII_w,
@@ -3760,14 +3875,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
       isXMLNS = XML_FALSE;
 
-    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
-    //       we have to at least make sure that the XML processor on top of
-    //       Expat (that is splitting tag names by namespace separator into
-    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
-    //       by an attacker putting additional namespace separator characters
-    //       into namespace declarations.  That would be ambiguous and not to
-    //       be expected.
-    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986
+    //       today (and is not REQUIRED to do so with regard to the XML 1.0
+    //       namespaces specification) we have to at least make sure, that
+    //       the application on top of Expat (that is likely splitting expanded
+    //       element names ("qualified names") of form
+    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
+    //       in its element handler code) cannot be confused by an attacker
+    //       putting additional namespace separator characters into namespace
+    //       declarations.  That would be ambiguous and not to be expected.
+    //
+    //       While the HTML API docs of function XML_ParserCreateNS have been
+    //       advising against use of a namespace separator character that can
+    //       appear in a URI for >20 years now, some widespread applications
+    //       are using URI characters (':' (colon) in particular) for a
+    //       namespace separator, in practice.  To keep these applications
+    //       functional, we only reject namespaces URIs containing the
+    //       application-chosen namespace separator if the chosen separator
+    //       is a non-URI character with regard to RFC 3986.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
+        && ! is_rfc3986_uri_char(uri[len])) {
       return XML_ERROR_SYNTAX;
     }
   }

contrib/libs/expat/ya.make

@@ -7,9 +7,9 @@ OWNER(
     g:cpp-contrib
 )
 
-VERSION(2.4.6)
+VERSION(2.4.7)
 
-ORIGINAL_SOURCE(https://github.com/libexpat/libexpat/releases/download/R_2_4_6/expat-2.4.6.tar.xz)
+ORIGINAL_SOURCE(https://github.com/libexpat/libexpat/releases/download/R_2_4_7/expat-2.4.7.tar.xz)
 
 LICENSE(
     CC0-1.0 AND