Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4630

Unrestricted internal XML entities expansion

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: libsvn_ra_serf, tools
    • Labels:
      None

      Description

      In subversion 1.7.7 in tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the following code:

            ctx->xmlp = XML_ParserCreate(NULL);
            apr_pool_cleanup_register(r->pool, ctx->xmlp,
                                      clean_up_parser,
                                      apr_pool_cleanup_null);
            XML_SetUserData(ctx->xmlp, ctx);
            XML_SetElementHandler(ctx->xmlp, start_element, end_element);
            XML_SetCharacterDataHandler(ctx->xmlp, cdata);
      

      This doesn't disable entity expansion for the internal DTD subset, so there is a denial-of-service vector ("billion laughs attack").

      Adding the following handler using

        XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);
      

      with the following function definition

      // Stop the parser when an entity declaration is encountered.
      static void
      EntityDeclHandler(void *userData,
      		  const XML_Char *entityName, int is_parameter_entity,
      		  const XML_Char *value, int value_length,
      		  const XML_Char *base, const XML_Char *systemId,
      		  const XML_Char *publicId, const XML_Char *notationName)
      {
        XML_StopParser((XML_Parser)userData, XML_FALSE);
      }
      

      The Expat parser creation in subversion/libsvn_ra_serf/util.c and subversion/libsvn_subr/xml.c should be fixed as well, but these are in the client-side code (I think), and therefore less of a security concern.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              fweimer@redhat.com Florian Weimer
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: