<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Initially, JSword only accepted Major.Minor, converting that into a decimal. That was based on a poor understanding of the CrossWire wiki. That was changed to match SWORD’s 4 part “number” with a minor modification.</div><div class=""><br class=""></div>JSword will reject any version that doesn’t match the pattern: ^(\d+)(?:.(\d+))?(?:.(\d+))?(?:.(\d+))?$<div class=""><br class=""></div><div class="">I think I encoded this to allow pretty much any single non-digit separator. The . will match any single character and \d+ is greedy. So it will accept Karl’s encoding.<br class=""><div class=""><div class=""><br class=""></div><div class="">The wiki on the conf clearly states: “Do not use non-numbers, such as 1.4a”</div><div class="">(See: <a href="http://wiki.crosswire.org/DevTools:conf_Files" class="">http://wiki.crosswire.org/DevTools:conf_Files</a>)</div><div class=""><br class=""></div><div class="">The conf also documents that the third part should be incremented when only the conf is affected. The first or second when the module is different.</div><div class=""><br class=""></div><div class="">Here is JSword's code:<br class=""><div><div>/**</div><div> * Distribution License:</div><div> * JSword is free software; you can redistribute it and/or modify it under</div><div> * the terms of the GNU Lesser General Public License, version 2.1 or later</div><div> * as published by the Free Software Foundation. This program is distributed</div><div> * in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even</div><div> * the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.</div><div> * See the GNU Lesser General Public License for more details.</div><div> *</div><div> * The License is available on the internet at:</div><div> * <a href="http://www.gnu.org/copyleft/lgpl.html" class="">http://www.gnu.org/copyleft/lgpl.html</a></div><div> * or by writing to:</div><div> * Free Software Foundation, Inc.</div><div> * 59 Temple Place - Suite 330</div><div> * Boston, MA 02111-1307, USA</div><div> *</div><div> * © CrossWire Bible Society, 2011 - 2016</div><div> *</div><div> */</div><div>package org.crosswire.common.util;</div><div><br class=""></div><div>import java.util.regex.Matcher;</div><div>import java.util.regex.Pattern;</div><div><br class=""></div><div>/**</div><div> * Version is an immutable representation of dotted "number" consisting of 1 to 4 parts.</div><div> * </div><div> * <p></div><div> * Here is the grammar for version strings:</div><div> * </p></div><div> * <pre></div><div> * version ::= major('.'minor('.'micro('.'nano)?)?)?</div><div> * major ::= [0-9]+</div><div> * minor ::= [0-9]+</div><div> * micro ::= [0-9]+</div><div> * nano ::= [0-9]+</div><div> * </pre></div><div> * </div><div> * @see gnu.lgpl.License The GNU Lesser General Public License for details.</div><div> * @author DM Smith</div><div> */</div><div>public class Version implements Comparable<Version> {</div><div> public static final Pattern VERSION_PATTERN = Pattern.compile("^(\\d+)(?:.(\\d+))?(?:.(\\d+))?(?:.(\\d+))?$");</div><div><br class=""></div><div> /**</div><div> * Created a version identifier from the specified string.</div><div> * </div><div> * @param version String representation of the version identifier.</div><div> * @throws IllegalArgumentException If <code>version</code> is improperly</div><div> * formatted.</div><div> */</div><div> public Version(String version) {</div><div> if (version == null) {</div><div> throw new IllegalArgumentException("Null version not allowed.");</div><div> }</div><div> this.original = version;</div><div> this.parts = new int[] { -1, -1, -1, -1 };</div><div> Matcher matcher = VERSION_PATTERN.matcher(this.original);</div><div> if (matcher.matches()) {</div><div> int count = matcher.groupCount();</div><div> for (int i = 1; i <= count; i++) {</div><div> String part = matcher.group(i);</div><div> if (part == null) {</div><div> break;</div><div> }</div><div> parts[i - 1] = Integer.parseInt(part);</div><div> }</div><div> } else {</div><div> throw new IllegalArgumentException("invalid: " + version);</div><div> }</div><div> }</div><div><br class=""></div><div> /**</div><div> * Returns the original string representation of this version identifier.</div><div> *</div><div> * @return The original string representation of this version identifier.</div><div> */</div><div> @Override</div><div> public String toString() {</div><div> return original;</div><div> }</div><div><br class=""></div><div> @Override</div><div> public int hashCode() {</div><div> return original.hashCode();</div><div> }</div><div><br class=""></div><div> /**</div><div> * Compares this <code>Version</code> object to another object.</div><div> * </div><div> * <p></div><div> * A version is considered to be equal to another version if all the</div><div> * parts are equal.</p></div><div> * </div><div> * @param object The <code>Version</code> object to be compared.</div><div> * @return true if the two objects are equal.</div><div> */</div><div> @Override</div><div> public boolean equals(Object object) {</div><div> if (!(object instanceof Version)) {</div><div> return false;</div><div> }</div><div><br class=""></div><div> Version that = (Version) object;</div><div> if (that == this) {</div><div> return true;</div><div> }</div><div><br class=""></div><div> for (int i = 0; i < parts.length; i++) {</div><div> if (parts[i] != that.parts[i]) {</div><div> return false;</div><div> }</div><div> }</div><div><br class=""></div><div> return true;</div><div> }</div><div><br class=""></div><div> /**</div><div> * Compares this <code>Version</code> object to another object.</div><div> * </div><div> * <p></div><div> * The comparison considers each of the parts (major, minor, micro, nano) in turn,</div><div> * comparing like with like. At any point the comparison is not equal, a result is</div><div> * known.</div><div> * </p></div><div> * </div><div> * @param object The <code>Version</code> object to be compared.</div><div> * @return A negative integer, zero, or a positive integer if this object is</div><div> * less than, equal to, or greater than the specified</div><div> * <code>Version</code> object.</div><div> * @throws ClassCastException If the specified object is not a <code>Version</code>.</div><div> */</div><div> public int compareTo(Version object) {</div><div> if (object == this) {</div><div> return 0;</div><div> }</div><div><br class=""></div><div> for (int i = 0; i < parts.length; i++) {</div><div> int result = parts[i] - object.parts[i];</div><div> if (result != 0) {</div><div> return result;</div><div> }</div><div> }</div><div><br class=""></div><div> return 0;</div><div> }</div><div><br class=""></div><div> private final String original;</div><div> private final int[] parts;</div><div><br class=""></div><div>}</div><div class=""><br class=""></div><blockquote type="cite" class=""><div class="">On Sep 25, 2018, at 7:07 AM, David Haslam <<a href="mailto:dfhdfh@protonmail.com" class="">dfhdfh@protonmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Thanks Peter,</div>
<div class="">
<br class="">
</div>
<div class="">We should therefore also encourage Karl to review and update any such modules in the Xiphos repository.</div>
<div class="">
<br class="">
</div>
<div class="">The reason I added my aside was that version values are clearly used for comparison purposes to determine whether a module has been updated.</div>
<div class="">Version is one of maybe only a few configuration keys upon which calculations are made.</div>
<div class="">This logically led me to pose the question about potential buffer overflows, even though I'm not part of the SWORD coding team.</div>
<div class="">cf. My awareness of what can be exploited from a buffer overflow or the like has been honed by 13 years of watching the Security Now! webcasts on <a href="http://twit.tv" class="">twit.tv</a></div>
<div class="">
<br class="">
</div>
<div class="">Further aside: How does JSword process the same key?</div>
<div class="">
<br class="">
</div>
<div class="">David</div>
<div class="">
<br class="">
</div>
<div id="protonmail_mobile_signature_block" class="">Sent from ProtonMail Mobile</div>
<div class="">
<br class="">
<div class="">
<div class="">
<br class="">
</div>On Tue, Sep 25, 2018 at 11:54, Peter Von Kaehne <<a href="mailto:refdoc@gmx.net" class="">refdoc@gmx.net</a>> wrote:</div>
<blockquote class="protonmail_quote" type="cite">I think there are two aspects then - version numbers should be correct in current modules. I think the bulk of the modules you listed are Xiphos, not CrossWire, but at least one is issued by CrossWire, maybe more. I will fix CrossWire's set.
<br class="">
<br class="">The other is - wrong version numbers should not crash the engine or produce unreliable/undefined results. Or at least the engine should go down with a decent error message. In essence all places where wrong module conf file entries can cause grief in
the engine, I guess some level of sanity checking should happen - Particularly if we want to encourage other publishers to take up offering repositories.
<br class="">
<br class="">Peter
<br class="">
<br class="">
<br class="">
<br class="">> Gesendet: Dienstag, 25. September 2018 um 10:56 Uhr
<br class="">> Von: "Jaak Ristioja" <<a href="mailto:jaak@ristioja.ee" class="">jaak@ristioja.ee</a>>
<br class="">> An: <a href="mailto:sword-devel@crosswire.org" class="">sword-devel@crosswire.org</a>
<br class="">> Betreff: Re: [sword-devel] Module version numbers
<br class="">>
<br class="">> > Aside: Are there any limits to the number of dot separators in the
<br class="">> Version value, or to the number of digits in total or in any part?
<br class="">> > Would SWORD crash with a buffer overflow were it to encounter an
<br class="">> inordinately long Version?
<br class="">>
<br class="">> The relevant code to parse the version string is in the SWVersion
<br class="">> constructor:
<br class="">>
<br class="">> SWVersion::SWVersion(const char *version) {
<br class="">> char *buf = new char[ strlen(version) + 1 ];
<br class="">> char *tok;
<br class="">> major = minor = minor2 = minor3 = -1;
<br class="">>
<br class="">> strcpy(buf, version);
<br class="">> tok = strtok(buf, ".");
<br class="">> if (tok)
<br class="">> major = atoi(tok);
<br class="">> tok = strtok(0, ".");
<br class="">> if (tok)
<br class="">> minor = atoi(tok);
<br class="">> tok = strtok(0, ".");
<br class="">> if (tok)
<br class="">> minor2 = atoi(tok);
<br class="">> tok = strtok(0, ".");
<br class="">> if (tok)
<br class="">> minor3 = atoi(tok);
<br class="">> delete [] buf;
<br class="">> }
<br class="">>
<br class="">> Very long version strings can only crash it if this runs out of memory.
<br class="">> Other than that, it will just return an incorrect version. There are no
<br class="">> limits to the number of dot separators, but only up to 4 version
<br class="">> components separated by dots are actually parsed. AFAIK, the behavior of
<br class="">> atoi() is undefined for invalid input. On my system, the results are as
<br class="">> follows:
<br class="">>
<br class="">> "9.1" -> 9.1
<br class="">> "99.1" -> 99.1
<br class="">> "999.1" -> 999.1
<br class="">> "9999.1" -> 9999.1
<br class="">> "99999.1" -> 99999.1
<br class="">> "999999.1" -> 999999.1
<br class="">> "9999999.1" -> 9999999.1
<br class="">> "99999999.1" -> 99999999.1
<br class="">> "999999999.1" -> 999999999.1
<br class="">> "9999999999.1" -> 1410065407.1
<br class="">> "99999999999.1" -> 1215752191.1
<br class="">> "999999999999.1" -> -727379969.1
<br class="">> "9999999999999.1" -> 1316134911.1
<br class="">> "99999999999999.1" -> 276447231.1
<br class="">> "999999999999999.1" -> -1530494977.1
<br class="">> "9999999999999999.1" -> 1874919423.1
<br class="">> "99999999999999999.1" -> 1569325055.1
<br class="">> "999999999999999999.1" -> -1486618625.1
<br class="">> "9999999999999999999.1" -> -1.1
<br class="">> "99999999999999999999.1" -> -1.1
<br class="">>
<br class="">>
<br class="">> J
<br class="">>
<br class="">> On 25.09.2018 12:03, David Haslam wrote:
<br class="">> > Ignoring the spurious SwordVersion hit, it seems that the string after the dash is a date in six digit format.
<br class="">> >
<br class="">> > IMHO, these modules should simply be re-issued with the dates recorded in the respective History key.
<br class="">> >
<br class="">> > It's not worth the effort to make the API parse these as they are now.
<br class="">> > The dash is a nonconformance to what should be in the Version key.
<br class="">> >
<br class="">> > Aside: Are there any limits to the number of dot separators in the Version value, or to the number of digits in total or in any part?
<br class="">> > Would SWORD crash with a buffer overflow were it to encounter an inordinately long Version?
<br class="">> >
<br class="">> > Best regards,
<br class="">> >
<br class="">> > David
<br class="">> >
<br class="">> > Sent from ProtonMail Mobile
<br class="">> >
<br class="">> > On Tue, Sep 25, 2018 at 09:44, Jaak Ristioja <<a href="mailto:jaak@ristioja.ee" class="">jaak@ristioja.ee</a>> wrote:
<br class="">> >
<br class="">> >> Hello!
<br class="">> >>
<br class="">> >> Most modules include version numbers matching the regular expression
<br class="">> >>
<br class="">> >> ^[0-9]+(.[0-9]+)*$
<br class="">> >>
<br class="">> >> However, looking at the .conf files, there are version fields with
<br class="">> >> values also containing dashes:
<br class="">> >>
<br class="">> >> ~/.sword/mods.d $ grep -E 'Version=.*-' *
<br class="">> >> 2tgreek.conf:Version=2.7-120109
<br class="">> >> invstrongsrealgreek.conf:Version=1.4-090107
<br class="">> >> jesermons.conf:SwordVersion=2017-05-24
<br class="">> >> strongsrealgreek.conf:Version=1.5-150704
<br class="">> >> tischmorph.conf:Version=2.7-120109
<br class="">> >>
<br class="">> >> How should these be interpreted? Should 1.2-3.4 be interpreted as
<br class="">> >> (1).(2-3).(4) or (1.2)-(3.4)? It seems that SWVersion interprets such as
<br class="">> >> just 1.2.4 (without the -3 entirely).
<br class="">> >>
<br class="">> >> God bless!
<br class="">> >> J
<br class="">> >>
<br class="">> >> _______________________________________________
<br class="">> >> sword-devel mailing list: <a href="mailto:sword-devel@crosswire.org" class="">sword-devel@crosswire.org</a>
<br class="">> >> <a href="http://www.crosswire.org/mailman/listinfo/sword-devel" class="">http://www.crosswire.org/mailman/listinfo/sword-devel</a>
<br class="">> >> Instructions to unsubscribe/change your settings at above page
<br class="">> >>
<br class="">> >>
<br class="">> >> _______________________________________________
<br class="">> >> sword-devel mailing list: <a href="mailto:sword-devel@crosswire.org" class="">sword-devel@crosswire.org</a>
<br class="">> >> <a href="http://www.crosswire.org/mailman/listinfo/sword-devel" class="">http://www.crosswire.org/mailman/listinfo/sword-devel</a>
<br class="">> >> Instructions to unsubscribe/change your settings at above page
<br class="">>
<br class="">>
<br class="">> _______________________________________________
<br class="">> sword-devel mailing list: <a href="mailto:sword-devel@crosswire.org" class="">sword-devel@crosswire.org</a>
<br class="">> <a href="http://www.crosswire.org/mailman/listinfo/sword-devel" class="">http://www.crosswire.org/mailman/listinfo/sword-devel</a>
<br class="">> Instructions to unsubscribe/change your settings at above page
<br class="">>
<br class="">
<br class="">_______________________________________________
<br class="">sword-devel mailing list: <a href="mailto:sword-devel@crosswire.org" class="">sword-devel@crosswire.org</a>
<br class=""><a href="http://www.crosswire.org/mailman/listinfo/sword-devel" class="">http://www.crosswire.org/mailman/listinfo/sword-devel</a>
<br class="">Instructions to unsubscribe/change your settings at above page
<br class="">
</blockquote>
</div>_______________________________________________<br class="">sword-devel mailing list: <a href="mailto:sword-devel@crosswire.org" class="">sword-devel@crosswire.org</a><br class=""><a href="http://www.crosswire.org/mailman/listinfo/sword-devel" class="">http://www.crosswire.org/mailman/listinfo/sword-devel</a><br class="">Instructions to unsubscribe/change your settings at above page</div></blockquote></div><br class=""></div></div></div></body></html>