[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_dontdothat does not inhibit XML entity expansion

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Sat, 23 Apr 2016 18:35:18 +0200

* Stefan Sperling:

> On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
>> It seems that mod_dontdothat creates an Expat XML parser without
>> inhibiting XML entity expansion for the internal DTD subset. This
>> might cause a denial-of-service issue when parsing client-submitted
>> XML.
>>
>> There are other pieces of code in Subversion which also create Expat
>> parsers this way, but they are in the client code, so there is less
>> exposure.
>>
>> May I file an issue for this?
>
> Sure.

Thanks.

> If you'd rather not expose details publicly, you can instead submit
> a report as described here: http://subversion.apache.org/security/

There is already a public Fedora bug report about this, so it doesn't
really mattter at this point.
Received on 2016-04-23 18:35:23 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.