[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_dontdothat does not inhibit XML entity expansion

From: Stefan Sperling <stsp_at_elego.de>
Date: Sat, 23 Apr 2016 18:31:39 +0200

On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
> It seems that mod_dontdothat creates an Expat XML parser without
> inhibiting XML entity expansion for the internal DTD subset. This
> might cause a denial-of-service issue when parsing client-submitted
> XML.
> There are other pieces of code in Subversion which also create Expat
> parsers this way, but they are in the client code, so there is less
> exposure.
> May I file an issue for this?


If you'd rather not expose details publicly, you can instead submit
a report as described here: http://subversion.apache.org/security/
Received on 2016-04-23 18:31:55 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.