Florian Weimer created SVN-4630:
-----------------------------------
Summary: Unrestricted internal XML entities expansion
Key: SVN-4630
URL: https://issues.apache.org/jira/browse/SVN-4630
Project: Subversion
Issue Type: Bug
Components: mod_dav_svn
Reporter: Florian Weimer
Priority: Minor
In subversion 1.7.7 in {{tools/server-side/mod_dontdothat/mod_dontdothat.c}},
there is the following code:
{code}
ctx->xmlp = XML_ParserCreate(NULL);
apr_pool_cleanup_register(r->pool, ctx->xmlp,
clean_up_parser,
apr_pool_cleanup_null);
XML_SetUserData(ctx->xmlp, ctx);
XML_SetElementHandler(ctx->xmlp, start_element, end_element);
XML_SetCharacterDataHandler(ctx->xmlp, cdata);
{code}
This doesn't disable entity expansion for the internal DTD subset, so there is
a denial-of-service vector ("billion laughs attack").
Adding the following handler using
{code}
XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);
{code}
with the following function definition
{code}
// Stop the parser when an entity declaration is encountered.
static void
EntityDeclHandler(void *userData,
const XML_Char *entityName, int is_parameter_entity,
const XML_Char *value, int value_length,
const XML_Char *base, const XML_Char *systemId,
const XML_Char *publicId, const XML_Char *notationName)
{
XML_StopParser((XML_Parser)userData, XML_FALSE);
}
{code}
The Expat parser creation in {{subversion/libsvn_ra_serf/util.c}} and
{{subversion/libsvn_subr/xml.c}} should be fixed as well, but these are in the
client-side code (I think), and therefore less of a security concern.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
