[
https://issues.apache.org/jira/browse/SVN-4630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Zhakov updated SVN-4630:
-----------------------------
Component/s: libsvn_ra_serf
> Unrestricted internal XML entities expansion
> --------------------------------------------
>
> Key: SVN-4630
> URL: https://issues.apache.org/jira/browse/SVN-4630
> Project: Subversion
> Issue Type: Bug
> Components: libsvn_ra_serf, tools
> Reporter: Florian Weimer
> Priority: Minor
>
> In subversion 1.7.7 in {{tools/server-side/mod_dontdothat/mod_dontdothat.c}},
> there is the following code:
> {code}
> ctx->xmlp = XML_ParserCreate(NULL);
> apr_pool_cleanup_register(r->pool, ctx->xmlp,
> clean_up_parser,
> apr_pool_cleanup_null);
> XML_SetUserData(ctx->xmlp, ctx);
> XML_SetElementHandler(ctx->xmlp, start_element, end_element);
> XML_SetCharacterDataHandler(ctx->xmlp, cdata);
> {code}
> This doesn't disable entity expansion for the internal DTD subset, so there
> is a denial-of-service vector ("billion laughs attack").
> Adding the following handler using
> {code}
> XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);
> {code}
> with the following function definition
> {code}
> // Stop the parser when an entity declaration is encountered.
> static void
> EntityDeclHandler(void *userData,
> const XML_Char *entityName, int is_parameter_entity,
> const XML_Char *value, int value_length,
> const XML_Char *base, const XML_Char *systemId,
> const XML_Char *publicId, const XML_Char *notationName)
> {
> XML_StopParser((XML_Parser)userData, XML_FALSE);
> }
> {code}
> The Expat parser creation in {{subversion/libsvn_ra_serf/util.c}} and
> {{subversion/libsvn_subr/xml.c}} should be fixed as well, but these are in
> the client-side code (I think), and therefore less of a security concern.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
