Re: mod_dontdothat does not inhibit XML entity expansion

From: Stefan Sperling <stsp_at_elego.de>
Date: Sat, 23 Apr 2016 18:31:39 +0200

On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
> It seems that mod_dontdothat creates an Expat XML parser without
> inhibiting XML entity expansion for the internal DTD subset. This
> might cause a denial-of-service issue when parsing client-submitted
> XML.
>
> There are other pieces of code in Subversion which also create Expat
> parsers this way, but they are in the client code, so there is less
> exposure.
>
> May I file an issue for this?

Sure.

If you'd rather not expose details publicly, you can instead submit
a report as described here: http://subversion.apache.org/security/
Received on 2016-04-23 18:31:55 CEST

This message: [ Message body ]
Next message: Florian Weimer: "Re: mod_dontdothat does not inhibit XML entity expansion"
Previous message: Florian Weimer: "mod_dontdothat does not inhibit XML entity expansion"
In reply to: Florian Weimer: "mod_dontdothat does not inhibit XML entity expansion"
Next in thread: Florian Weimer: "Re: mod_dontdothat does not inhibit XML entity expansion"
Reply: Florian Weimer: "Re: mod_dontdothat does not inhibit XML entity expansion"
Reply: Daniel Shahaf: "Re: mod_dontdothat does not inhibit XML entity expansion"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]