Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
In subversion 1.7.7 in tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the following code:
ctx->xmlp = XML_ParserCreate(NULL);
apr_pool_cleanup_register(r->pool, ctx->xmlp,
clean_up_parser,
apr_pool_cleanup_null);
XML_SetUserData(ctx->xmlp, ctx);
XML_SetElementHandler(ctx->xmlp, start_element, end_element);
XML_SetCharacterDataHandler(ctx->xmlp, cdata);
This doesn't disable entity expansion for the internal DTD subset, so there is a denial-of-service vector ("billion laughs attack").
Adding the following handler using
XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);
with the following function definition
// Stop the parser when an entity declaration is encountered. static void EntityDeclHandler(void *userData, const XML_Char *entityName, int is_parameter_entity, const XML_Char *value, int value_length, const XML_Char *base, const XML_Char *systemId, const XML_Char *publicId, const XML_Char *notationName) { XML_StopParser((XML_Parser)userData, XML_FALSE); }
The Expat parser creation in subversion/libsvn_ra_serf/util.c and subversion/libsvn_subr/xml.c should be fixed as well, but these are in the client-side code (I think), and therefore less of a security concern.