Pull requests

#19 Merged
Repository
grantmnz grantmnz
Branch
default
Repository
shlomif shlomif
Branch
default

Don't enable XML_PARSE_HUGE by default

Author
  1. Grant McLean
Reviewers
Description

This patchset changes the default value for the XML_PARSE_HUGE parser option from enabled to disabled in order to protect against denial of service through entity expansion attacks.

With huge mode disabled, the parser will still expand entities but will throw an "entity reference loop" error during parsing if entity definitions are nested too many levels deep.

  • Learn about pull requests

Comments (4)

  1. Shlomi Fish repo owner

    Hi Grant,

    I have a problem with tests failing here:

    t/43options.t ........................ 1/289 
    #   Failed test 'Testing option huge'
    #   at t/43options.t line 55.
    # Looks like you failed 1 test of 289.
    t/43options.t ........................ Dubious, test returned 1 (wstat 256, 0x100)                                                                              
    Failed 1/289 subtests 
    t/44extent.t ......................... ok   
    

    can you investigate that? BTW, you should also add the new t/35huge_mode.t to the MANIFEST as well.

    Regards,

    -- Shlomi Fish

  2. Grant McLean author

    Hi Shlomi

    Sorry for wasting your time on that. I thought I had all the tests passing but obviously not.

    The fixes for test and MANIFEST are included now.

    Grant