Re: mod_dontdothat does not inhibit XML entity expansion

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Sat, 23 Apr 2016 18:35:18 +0200

* Stefan Sperling:

> On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
>> It seems that mod_dontdothat creates an Expat XML parser without
>> inhibiting XML entity expansion for the internal DTD subset. This
>> might cause a denial-of-service issue when parsing client-submitted
>> XML.
>>
>> There are other pieces of code in Subversion which also create Expat
>> parsers this way, but they are in the client code, so there is less
>> exposure.
>>
>> May I file an issue for this?
>
> Sure.

Thanks.

> If you'd rather not expose details publicly, you can instead submit
> a report as described here: http://subversion.apache.org/security/

There is already a public Fedora bug report about this, so it doesn't
really mattter at this point.
Received on 2016-04-23 18:35:23 CEST

This message: [ Message body ]
Next message: Ryan J Ollos: "Modifying transaction properties (svnadmin setrevprop)"
Previous message: Stefan Sperling: "Re: mod_dontdothat does not inhibit XML entity expansion"
In reply to: Stefan Sperling: "Re: mod_dontdothat does not inhibit XML entity expansion"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]