[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Unrestricted entity expansion in Expat parsers

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Sun, 24 Apr 2016 14:18:41 +0200

Here's a really old Fedora bug report which, as far as I know, has not
been forwarded upstream so far:

  https://bugzilla.redhat.com/show_bug.cgi?id=888755

Quoting from the bug report:

> In subversion 1.7.7 in
> tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the
> following code:
>
> ctx->xmlp = XML_ParserCreate(NULL);
> apr_pool_cleanup_register(r->pool, ctx->xmlp,
> clean_up_parser,
> apr_pool_cleanup_null);
> XML_SetUserData(ctx->xmlp, ctx);
> XML_SetElementHandler(ctx->xmlp, start_element, end_element);
> XML_SetCharacterDataHandler(ctx->xmlp, cdata);
>
> This doesn't disable entity expansion for the internal DTD subset,
> so there is a denial-of-service vector ("billion laughs attack").
> I'm marking this as a security bug because it probably allows to
> crash Apache or trigger the kernel OOM handler. This should
> probably be fixed in coordination with Subversion upstream.

> Adding the following handler using
>
> XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);
>
> should be sufficient to address this issue.
>
> // Stop the parser when an entity declaration is encountered.
> static void
> EntityDeclHandler(void *userData,
> const XML_Char *entityName, int is_parameter_entity,
> const XML_Char *value, int value_length,
> const XML_Char *base, const XML_Char *systemId,
> const XML_Char *publicId, const XML_Char *notationName)
> {
> XML_StopParser((XML_Parser)userData, XML_FALSE);
> }

I still don't see a reference to XML_SetEntityDeclHandler in the
sources, so I believe the issue still exists.

This issue was found by looking for binaries which reference
XML_ParserCreate, but not XML_SetEntityDeclHandler. I have not
constructed an actual reproducer.
Received on 2016-04-24 14:18:52 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.