mod_dontdothat does not inhibit XML entity expansion

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Sat, 23 Apr 2016 17:55:23 +0200

It seems that mod_dontdothat creates an Expat XML parser without
inhibiting XML entity expansion for the internal DTD subset. This
might cause a denial-of-service issue when parsing client-submitted
XML.

There are other pieces of code in Subversion which also create Expat
parsers this way, but they are in the client code, so there is less
exposure.

May I file an issue for this?

Thanks,
Florian
Received on 2016-04-23 17:55:36 CEST

This message: [ Message body ]
Next message: Stefan Sperling: "Re: mod_dontdothat does not inhibit XML entity expansion"
Previous message: Mark Phippard: "Re: Enhancement: Expose Merge Whitespace Options in JavaHL"
Next in thread: Stefan Sperling: "Re: mod_dontdothat does not inhibit XML entity expansion"
Reply: Stefan Sperling: "Re: mod_dontdothat does not inhibit XML entity expansion"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]