XML-RPC for C/C++ (Xmlrpc-c) Code
Brought to you by:
giraffedata
Menu
▾
▴
Tree [r3316] / trunk / History
Read Me
This is the source code for XML-RPC for C/C++, called Xmlrpc-c for short. XML-RPC for C/C++ is programming libraries and related tools to help you write an XML-RPC server or client in C or C++. The user guide for the package is at http://xmlrpc-c.sourceforge.net/doc See the Xmlrpc-c website at: http://xmlrpc-c.sourceforge.net/ Additional documentation, including history of the project, is in the 'doc' directory in the source tree. PREREQUISITES ------------- To build a useful Xmlrpc-c client library, you'll need to have at least one HTTP library. Xmlrpc-c knows how to use W3C Libwww (Version 5.3.2 or newer), Curl, and Wininet. The configurator gives you the option of building libraries that use any or all of these, and defaults to every one you appear to have installed. If you don't appear to have any installed, the configurator causes the build to omit client facilities altogether. Information about W3C Libwww, including how to get it are at <http://www.w3.org/Library>. For Curl, see <http://curl.haxx.se>. Wininet comes with Windows, and isn't available for any other platform. You also need an XML parser library. By default, it needs Libxml2 from the Gnome project. See <https://gitlab.gnome.org>/GNOME/libxml2>. But you can eliminate this prerequisite by using a built-in XML parser, which you specify with a --disable-libxml2 option on 'configure'. See BUILT-IN XML PARSER ISSUES to see if the built-in XML parser is sufficient for you. BUILDING, INSTALLING -------------------- See the file doc/INSTALL. In the simplest case, it's just a conventional $ ./configure $ make $ make install And then, if Linux: $ ldconfig ADDITIONAL INFORMATION ---------------------- See the doc/ directory of the source tree for information about the source code. User documentation is on the web, as described above. BUILT-IN XML PARSER ISSUES -------------------------- By default, Xmlrpc-c builds to use the GNOME Project's Libxml2 to parse the XML of an XML-RPC call or response. If the build configurator cannot find Libxml2 on your system, build configuration fails. But there is also a simpler built-in XML parser that you could use, and all you have to do is specify the --disable-libxml2 option to 'configure' when you build. The problem with the built-in parser is that it has bugs that cause a security exposure if your XML-RPC server or client is exposed to hackers. A hacker who knows about one of these bugs and is able to send arbitrary messages to your XML-RPC server or client could cause it to use excessive memory or CPU time or crash your process. If you trust your communication partner, or your risk of hack attempts is low, the built-in parser is fine. The fact that the built-in parser was used almost exclusively for the first 24 years of Xmlrpc-c's existence without anyone encountering (and reporting) any these bugs means there is virtually no chance you will encounter them absent some kind of malice. There are actually no _known_ bugs in the internal parser (if we had specific knowledge of them, we would fix them), but we presume these bugs are there because the internal parser is a slight modification of a 2001 version of Expat, and since 2001, there have been dozens of reports of security vulnerabilities in Expat (they have all been fixed in Expat, of course). In case you are wondering, the reason Xmlrpc-c contains this internal parser is that when it was designed, in 2001, software distribution was not as seamless as it is today and depending on a third-party package caused a fair amount of problems. Copying Expat into the Xmlrpc-c distribution made Xmlrpc-c much simpler and more reliable. Hacking was not as prevalent as it is today, so the problem of duplicating all those hidden security exposure bugs was not a big detractor from this bundling. But probably because of the changing tradeoffs in bundling vs depending, developers added the option in 2004 of using a separate Libxml2 library instead of the built-in parser. Considering how little of XML XML-RPC uses, it is not clear why the option was made to use external Libxml2 versus just using external Expat. When the Expat developer pointed out in 2025 the likelihood that the Xmlrpc-c fork of Expat contained dozens of security exposure bugs, the Xmlrpc-c maintainer decided to make external Libxml2 the default.
