Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 272260
Collapse All | Expand All

(-)test/data/billion-laughs.xml (+36 lines)
Line 0 Link Here
1
<?xml version="1.0"?>
2
<!DOCTYPE billion [
3
<!ELEMENT billion (#PCDATA)>
4
<!ENTITY laugh0 "ha">
5
<!ENTITY laugh1 "&laugh0;&laugh0;">
6
<!ENTITY laugh2 "&laugh1;&laugh1;">
7
<!ENTITY laugh3 "&laugh2;&laugh2;">
8
<!ENTITY laugh4 "&laugh3;&laugh3;">
9
<!ENTITY laugh5 "&laugh4;&laugh4;">
10
<!ENTITY laugh6 "&laugh5;&laugh5;">
11
<!ENTITY laugh7 "&laugh6;&laugh6;">
12
<!ENTITY laugh8 "&laugh7;&laugh7;">
13
<!ENTITY laugh9 "&laugh8;&laugh8;">
14
<!ENTITY laugh10 "&laugh9;&laugh9;">
15
<!ENTITY laugh11 "&laugh10;&laugh10;">
16
<!ENTITY laugh12 "&laugh11;&laugh11;">
17
<!ENTITY laugh13 "&laugh12;&laugh12;">
18
<!ENTITY laugh14 "&laugh13;&laugh13;">
19
<!ENTITY laugh15 "&laugh14;&laugh14;">
20
<!ENTITY laugh16 "&laugh15;&laugh15;">
21
<!ENTITY laugh17 "&laugh16;&laugh16;">
22
<!ENTITY laugh18 "&laugh17;&laugh17;">
23
<!ENTITY laugh19 "&laugh18;&laugh18;">
24
<!ENTITY laugh20 "&laugh19;&laugh19;">
25
<!ENTITY laugh21 "&laugh20;&laugh20;">
26
<!ENTITY laugh22 "&laugh21;&laugh21;">
27
<!ENTITY laugh23 "&laugh22;&laugh22;">
28
<!ENTITY laugh24 "&laugh23;&laugh23;">
29
<!ENTITY laugh25 "&laugh24;&laugh24;">
30
<!ENTITY laugh26 "&laugh25;&laugh25;">
31
<!ENTITY laugh27 "&laugh26;&laugh26;">
32
<!ENTITY laugh28 "&laugh27;&laugh27;">
33
<!ENTITY laugh29 "&laugh28;&laugh28;">
34
<!ENTITY laugh30 "&laugh29;&laugh29;">
35
]>
36
<billion>&laugh30;</billion>
0
  + native
37
  + native
(-)test/testxml.c (-4 / +21 lines)
Lines 36-43 Link Here
36
        return rv;
36
        return rv;
37
37
38
    rv = apr_file_puts("<?xml version=\"1.0\" ?>\n<maryx>"
38
    rv = apr_file_puts("<?xml version=\"1.0\" ?>\n<maryx>"
39
                       "<had a=\"little\"/><lamb its='fleece "
39
                       "<had a=\"little\"/><lamb/>\n", *fd);
40
                       "was white as snow' />\n", *fd);
41
    ABTS_INT_EQUAL(tc, APR_SUCCESS, rv);
40
    ABTS_INT_EQUAL(tc, APR_SUCCESS, rv);
42
41
43
    for (i = 0; i < 5000; i++) {
42
    for (i = 0; i < 5000; i++) {
Lines 75-81 Link Here
75
74
76
    for (i = 0; i < 5000; i++) {
75
    for (i = 0; i < 5000; i++) {
77
        rv = apr_file_puts("<hmm roast=\"lamb\" "
76
        rv = apr_file_puts("<hmm roast=\"lamb\" "
78
                           "for=\"dinner\">yummy</hmm>\n", *fd);
77
                           "for=\"dinner &lt;&gt;&#x3D;\">yummy</hmm>\n", *fd);
79
        ABTS_INT_EQUAL(tc, APR_SUCCESS, rv);
78
        ABTS_INT_EQUAL(tc, APR_SUCCESS, rv);
80
    }
79
    }
81
80
Lines 103-109 Link Here
103
        a = e->attr;
102
        a = e->attr;
104
        ABTS_PTR_NOTNULL(tc, a);
103
        ABTS_PTR_NOTNULL(tc, a);
105
        ABTS_STR_EQUAL(tc, "for", a->name);
104
        ABTS_STR_EQUAL(tc, "for", a->name);
106
        ABTS_STR_EQUAL(tc, "dinner", a->value);
105
        ABTS_STR_EQUAL(tc, "dinner <>=", a->value);
107
        a = a->next;
106
        a = a->next;
108
        ABTS_PTR_NOTNULL(tc, a);
107
        ABTS_PTR_NOTNULL(tc, a);
109
        ABTS_STR_EQUAL(tc, "roast", a->name);
108
        ABTS_STR_EQUAL(tc, "roast", a->name);
Lines 149-159 Link Here
149
    ABTS_TRUE(tc, rv != APR_SUCCESS);
148
    ABTS_TRUE(tc, rv != APR_SUCCESS);
150
}
149
}
151
150
151
static void test_billion_laughs(abts_case *tc, void *data)
152
{
153
    apr_file_t *fd;
154
    apr_xml_parser *parser;
155
    apr_xml_doc *doc;
156
    apr_status_t rv;
157
158
    rv = apr_file_open(&fd, "data/billion-laughs.xml", 
159
                       APR_FOPEN_READ, 0, p);
160
    APR_ASSERT_SUCCESS(tc, "open billion-laughs.xml", rv);
161
162
    rv = apr_xml_parse_file(p, &parser, &doc, fd, 2000);
163
    ABTS_TRUE(tc, rv != APR_SUCCESS);
164
165
    apr_file_close(fd);
166
}
167
152
abts_suite *testxml(abts_suite *suite)
168
abts_suite *testxml(abts_suite *suite)
153
{
169
{
154
    suite = ADD_SUITE(suite);
170
    suite = ADD_SUITE(suite);
155
171
156
    abts_run_test(suite, test_xml_parser, NULL);
172
    abts_run_test(suite, test_xml_parser, NULL);
173
    abts_run_test(suite, test_billion_laughs, NULL);
157
174
158
    return suite;
175
    return suite;
159
}
176
}
(-)xml/apr_xml.c (+32 lines)
Lines 347-352 Link Here
347
    return APR_SUCCESS;
347
    return APR_SUCCESS;
348
}
348
}
349
349
350
#if XML_MAJOR_VERSION > 1
351
/* Stop the parser if an entity declaration is hit. */
352
static void entity_declaration(void *userData, const XML_Char *entityName,
353
                               int is_parameter_entity, const XML_Char *value,
354
                               int value_length, const XML_Char *base,
355
                               const XML_Char *systemId, const XML_Char *publicId,
356
                               const XML_Char *notationName)
357
{
358
    apr_xml_parser *parser = userData;
359
360
    XML_StopParser(parser->xp, XML_FALSE);
361
}
362
#else
363
/* A noop default_handler. */
364
static void default_handler(void *userData, const XML_Char *s, int len)
365
{
366
}
367
#endif
368
350
APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
369
APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
351
{
370
{
352
    apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
371
    apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
Lines 372-377 Link Here
372
    XML_SetElementHandler(parser->xp, start_handler, end_handler);
391
    XML_SetElementHandler(parser->xp, start_handler, end_handler);
373
    XML_SetCharacterDataHandler(parser->xp, cdata_handler);
392
    XML_SetCharacterDataHandler(parser->xp, cdata_handler);
374
393
394
    /* Prevent the "billion laughs" attack against expat by disabling
395
     * internal entity expansion.  With 2.x, forcibly stop the parser
396
     * if an entity is declared - this is safer and a more obvious
397
     * failure mode.  With older versions, installing a noop
398
     * DefaultHandler means that internal entities will be expanded as
399
     * the empty string, which is also sufficient to prevent the
400
     * attack. */
401
#if XML_MAJOR_VERSION > 1
402
    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
403
#else
404
    XML_SetDefaultHandler(parser->xp, default_handler);
405
#endif
406
375
    return parser;
407
    return parser;
376
}
408
}
377
409

Return to bug 272260