Re: mod_dontdothat does not inhibit XML entity expansion

From: Daniel Shahaf <danielsh_at_apache.org>
Date: Sat, 23 Apr 2016 21:50:49 +0000

Stefan Sperling wrote on Sat, Apr 23, 2016 at 18:31:39 +0200:
> On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
> > It seems that mod_dontdothat creates an Expat XML parser without
> > inhibiting XML entity expansion for the internal DTD subset. This
> > might cause a denial-of-service issue when parsing client-submitted
> > XML.
> >
> > There are other pieces of code in Subversion which also create Expat
> > parsers this way, but they are in the client code, so there is less
> > exposure.
> >
> > May I file an issue for this?
>
> Sure.

You can simply email the details to dev_at_subversion.apache.org, in
addition to or instead of opening a jira ticket [jira is under
a temporary lockdown right now].

Thanks,

Daniel
Received on 2016-04-23 23:50:52 CEST

This message: [ Message body ]
Next message: Daniel Shahaf: "Re: Modifying transaction properties (svnadmin setrevprop)"
Previous message: Daniel Shahaf: "Re: Modifying transaction properties (svnadmin setrevprop)"
In reply to: Stefan Sperling: "Re: mod_dontdothat does not inhibit XML entity expansion"
Next in thread: Florian Weimer: "Re: mod_dontdothat does not inhibit XML entity expansion"
Reply: Florian Weimer: "Re: mod_dontdothat does not inhibit XML entity expansion"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]