On Fri, 2025-03-14 at 16:41 +0100, Nico Verwer (Rakensi) wrote:
>
> The latest release says: "Entities: expansion limit exceeded or
> recursive definitions found."
> No more billion laughs!
Note that this attack affects every language with the ability to make
new objects by joining strings, including JavaScript (which imposes a
similar limit).
For example, in XQuery,
let $s1 := ":-) :-) :-)",
$s2 := $s1 || $s1 || $s1 || $s1 || $s1 || $s1,
$s3 := $s2 || $s2 || $s2 || $s2 || $s2 || $s2
return $s3 || $s3
(probably you have to go a bit furtherbut you see the idea).
A public-facing page that accepts XPath, XQuery or XSLT, should have
limits on memory usage, e.g. with setrlimit on Linux or Unix systems
(e.g. using the bash ulimit command).
--
Liam Quin, https://www.delightfulcomputing.com/
Available for XML/Document/Information Architecture/XSLT/
XSL/XQuery/Web/Text Processing/A11Y training, work & consulting.
Barefoot Web-slave, antique illustrations: http://www.fromoldbooks.org
