eXist-db 4.2.0 Released

June 6, 2018

Submitted by Adam Retter.

eXist-db v4.2.0 has just been released. This is a minor release, which contains an important security fix, as well as several new features and bug fixes.

Security Fixes

  • Added avoidance for Zip Slip / Zip Exit attacks.
  • NOTE: Developers should take care when writing their own $entry-data functions for compression:unzip or compression:untar if they are writing the file entries to persistent storage using the name of the entry from the archive; Consideration should be given to employing further exit attack protections of their own.


  • XQuery compression:unzip and compression:untar functions have received some lower-arity signatures which should simplify use. Also some helper functions have been added: compression:no-filter, compression:db-store-*, and compression:fs-store-*.
  • The XQuery util:eval-with-context function now allows a timeout to be set.
  • XQSuite gains the annotation %test:assumeInternetAccess for ensuring Internet Access is available if required.
  • XML-RPC Server character set is now configurable, defaults to UTF-8.
  • XQueryURLRewrite challenge is now configurable, defaults to always challenging for basic authentication.
  • Building YAJSW no longer requires JAVA_HOME if java is available on the system PATH.
  • ClassLoaderSource now tracks source file for easy referencing.
  • Display the specific JVM version details when building eXist-db.
  • Updated third-party dependencies:
  • Apache Commons Configuration 1.17
  • Eclipse AspectJ 1.9.1
  • Eclipse Jetty 9.4.10.v20180503
  • FasterXML Jackson 2.9.5
  • Jargo 0.4.14
  • Java 8 Functional Utilities 1.16
  • XMLUnit 2.6.0

Performance Improvements

  • Minor performance improvements when streaming binary files from the database.
  • Replaced many uses of Reflection with use of Constructor lambda functions and Method Handles.
  • Broker construction functions are now cached.
  • In the XML:DB Remote API small transfers will not be compressed, which saves both time and space (due to compression overhead).
  • XML:DB Remote API no longer allocates full-chunks in memory if they are not required.

Bug Fixes

  • Fixed a memory leak which manifests when making heavy use of higher-order-functions in XQuery.
  • Fixed a problem with serialization where empty namespace declarations could be lost. This applies to the XML:DB, XML-RPC and WebDAV interfaces.
  • SAX Serialization now handles lexical CDATA sections and DTD's.
  • Fixed a potential deadlock when validating XML documents against various types of Schema.
  • EXPath HTTP Client now correctly adheres to the character set of the server's response.
  • Reduced severity of log messages in the Temporary File Manager.
  • Memory Mapping of temporary files is now handled correctly on Microsoft Windows.
  • One eXist-db instance can no longer accidentally delete the temporary files of another instance (which may be in use).
  • Fixed concurrent use issues with the Index Manager.
  • Index configuration changes now cause the Index Controller to be reloaded.
  • fn:format-date previously calculated the name of the day of the week incorrectly (off by one e.g. Monday -> Tuesday).
  • file:mkdirs no longer incorrectly raises an error if the directory already exists.
  • Fixed a NullPointerException when uploading large documents via the XML-RPC and XML:DB Remote APIs.
  • Handling of Zip entry filenames are now compatible with Java 10.
  • Fixed the behaviour of the XMLUnit functions.
  • XQSuite now correctly displays results when an error is expected.
  • XQSuite now shows the correct messages for %test:assertTrue and %test:assertFalse.
  • XSuite test resources are now correctly loaded from the classpath.

Backwards Compatibility

  • eXist-db v4.2.0 is backwards binary-compatible as far as v3.0, but not with earlier versions. Users who are upgrading should always consult the Upgrading Guide in the documentation.
  • NOTE: The version of Dashboard that was installed with eXist-db 3.6.1 (or earlier) is incompatible with eXist-db 4.0.0 and newer. If you plan to migrate your entire database to eXist-db 4.2.0, you MUST take one of the following steps to allow Dashboard to work after the upgrade: 1. If you have not yet installed eXist-db 4.2.0, open Dashboard > Package Manager, and upgrade Dashboard to 0.4.10, or run this script in eXide or the Java Admin Client: repo:install-and-deploy("http://exist-db.org/apps/dashboard", "http://demo.exist-db.org/exist/apps/public-repo/modules/find.xql"). Then you may safely install eXist-db 4.2.0 and use Dashboard. 2. If you install eXist-db 4.2.0 before upgrading Dashboard, run this script in eXide or the Java Admin Client: repo:install-and-deploy("http://exist-db.org/apps/dashboard", "http://demo.exist-db.org/exist/apps/public-repo/modules/find.xql"). Then you may use Dashboard.

Downloading This Version

  • eXist-db v4.2.0 is available for download from Bintray.
  • Docker images for are available from EvolvedBinary's DockerHub.
  • Maven artifacts are available from our mvn-repo.
  • Mac users of the Homebrew package repository may acquire eXist 4.2.0 directly from there.

Related links

News items may be commercial in nature and are published as received.