Commits

Shlomi Fish  committed cff7d6d Merge

Merged from the GRANTM pull request.

For good this time.

  • Participants
  • Parent commits bbfe363, 33512f9

Comments (0)

Files changed (5)

   XML_PARSE_OLDSAX	  => 1048576,  # parse using SAX2 interface from before 2.7.0
 };
 
-$XML_LIBXML_PARSE_DEFAULTS = ( XML_PARSE_NODICT | XML_PARSE_HUGE | XML_PARSE_DTDLOAD | XML_PARSE_NOENT );
+$XML_LIBXML_PARSE_DEFAULTS = ( XML_PARSE_NODICT | XML_PARSE_DTDLOAD | XML_PARSE_NOENT );
 
 # this hash is made global so that applications can add names for new
 # libxml2 parser flags as temporary workaround
 t/30xpathcontext.t
 t/31xpc_functions.t
 t/32xpc_variables.t
+t/35huge_mode.t
 t/40reader.t
 t/40reader_mem_error.t
 t/41xinclude.t

File docs/libxml.dbk

 			      a list of option => value pairs to
 			      set a different default set of options.
 			      Unless specified otherwise, the options
-			      <literal>load_ext_dtd</literal>,
-			      <literal>expand_entities</literal>, and
-			      <literal>huge</literal> are set to 1.
+			      <literal>load_ext_dtd</literal>, and
+			      <literal>expand_entities</literal> are set to 1.
 			      See <xref linkend="parser-options"/> for a list of libxml2 parser's options.
 			    </para>
                         </listitem>
             <listitem>
 	      <para>/parser, html, reader/</para>
               <para>relax any hardcoded limit from the parser; possible values are 0 and 1. Unless specified,
-		XML::LibXML sets this option to 1.</para>
+		XML::LibXML sets this option to 0.</para>
+              <para>Note: the default value for this option was changed to protect against denial
+                of service through entity expansion attacks.  Before enabling the option ensure
+                you have taken alternative measures to protect your application against this type
+                of attack.</para>
             </listitem>
           </varlistentry>
           <varlistentry>

File t/35huge_mode.t

+#!/usr/bin/perl
+#
+# Having 'XML_PARSE_HUGE' enabled can make an application vulnerable to
+# denial of service through entity expansion attacks.  This test script
+# confirms that huge document mode is disabled by default and that this
+# does not adversely affect expansion of sensible entity definitions.
+#
+
+use strict;
+use warnings;
+
+use Test::More tests => 5;
+
+use XML::LibXML;
+
+my $benign_xml = <<'EOF';
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+  <!ENTITY lol "haha">
+]>
+<lolz>&lol;</lolz>
+EOF
+
+my $evil_xml = <<'EOF';
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ENTITY lol1 "&lol;&lol;">
+ <!ENTITY lol2 "&lol1;&lol1;">
+ <!ENTITY lol3 "&lol2;&lol2;">
+ <!ENTITY lol4 "&lol3;&lol3;">
+ <!ENTITY lol5 "&lol4;&lol4;">
+ <!ENTITY lol6 "&lol5;&lol5;">
+ <!ENTITY lol7 "&lol6;&lol6;">
+ <!ENTITY lol8 "&lol7;&lol7;">
+ <!ENTITY lol9 "&lol8;&lol8;">
+]>
+<lolz>&lol9;</lolz>
+EOF
+
+my($parser, $doc);
+
+$parser = XML::LibXML->new;
+#$parser->set_option(huge => 0);
+ok(!$parser->get_option('huge'), "huge mode disabled by default");
+
+$doc = eval { $parser->parse_string($evil_xml); };
+
+isnt("$@", "", "exception thrown during parse");
+like($@, qr/entity.*loop/si, "exception refers to entity reference loop");
+
+
+$parser = XML::LibXML->new;
+
+$doc = eval { $parser->parse_string($benign_xml); };
+
+is("$@", "", "no exception thrown during parse");
+
+my $body = $doc->findvalue( '/lolz' );
+is($body, 'haha', 'entity was parsed and expanded correctly');
+
+exit;
+

File t/43options.t

 {
   my $p = XML::LibXML->new();
   for my $opt (@all) {
-    my $ret = (($opt =~ /^(?:load_ext_dtd|expand_entities|huge)$/) ? 1 : 0);
+    my $ret = (($opt =~ /^(?:load_ext_dtd|expand_entities)$/) ? 1 : 0);
     # TEST*$all
     ok(
         ($p->get_option($opt)||0) == $ret