Christian Heimes avatar Christian Heimes committed 9984c4e

document new expat features

Comments (0)

Files changed (1)

 
     "It's just XML, what could probably go wrong?"
 
+Christian Heimes <christian@python.org>
+
 Synopsis
 ========
 
 basically a stand-alone version of the patches for Python's standard
 library C extensions.
 
+Modifications to expat
+----------------------
+
+new definitions::
+
+  XML_BOMB_PROTECTION
+  XML_DEFAULT_MAX_ENTITY_INDIRECTIONS
+  XML_DEFAULT_MAX_ENTITY_EXPANSIONS
+  XML_DEFAULT_RESET_DTD
+
+new XML_FeatureEnum members::
+
+  XML_FEATURE_MAX_ENTITY_INDIRECTIONS
+  XML_FEATURE_MAX_ENTITY_EXPANSIONS
+  XML_FEATURE_IGNORE_DTD
+
+new XML_Error members::
+
+  XML_ERROR_ENTITY_INDIRECTIONS
+  XML_ERROR_ENTITY_EXPANSION
+
+new API functions::
+
+  int XML_GetFeature(XML_Parser parser,
+                     enum XML_FeatureEnum feature,
+                     long *value);
+  int XML_SetFeature(XML_Parser parser,
+                     enum XML_FeatureEnum feature,
+                     long value);
+  int XML_GetFeatureDefault(enum XML_FeatureEnum feature,
+                            long *value);
+  int XML_SetFeatureDefault(enum XML_FeatureEnum feature,
+                            long value);
+
+XML_FEATURE_MAX_ENTITY_INDIRECTIONS
+   Limit the amount of indirections that are allowed to occur during the
+   expansion of a nested entity. A counter starts when an entity reference
+   is encountered. It resets after the entity is fully expanded. The limit
+   protects the parser against exponential entity expansion attacks (aka
+   billion laughs attack). When the limit is exceeded the parser stops and
+   fails with `XML_ERROR_ENTITY_INDIRECTIONS`.
+   A value of 0 disables the protection.
+
+   Supported range
+     0 .. UINT_MAX
+   Default
+     40
+
+XML_FEATURE_MAX_ENTITY_EXPANSIONS
+   Limit the total length of all entity expansions throughout the entire
+   document. The lengths of all entities are accumulated in a parser variable.
+   The setting protects against quadratic blowup attacks (lots of expansions
+   of a large entity declaration). When the sum of all entities exceeds
+   the limit, the parser stops and fails with `XML_ERROR_ENTITY_EXPANSION`.
+   A value of 0 disables the protection.
+
+   Supported range
+     0 .. UINT_MAX
+   Default
+     8 MiB
+
+XML_FEATURE_RESET_DTD
+   Reset all DTD information after the <!DOCTYPE> block has been parsed. When
+   the flag is set (default: false) all DTD information after the
+   endDoctypeDeclHandler has been called. The flag can be set inside the
+   endDoctypeDeclHandler. Without DTD information any entity reference in
+   the document body leads to `XML_ERROR_UNDEFINED_ENTITY`.
+
+   Supported range
+     0, 1
+   Default
+     0
+
 
 How to avoid XML vulnerabilities
 ================================
 * Don't resolve externals
 * Limit parse depth
 * Limit total input size
+* Limit parse time
+* Favor a SAX or iterparse-like parser for potential large data
+* Validate and properly quote arguments to XSL transformations and
+  XPath queries
 * Don't use XPath expression from untrusted sources
 * Don't apply XSL transformations that come untrusted sources
-* Always validate and properly quote arguments to XSL transformations and
-  XPath queries
 
 (based on Brad Hill's `Attacking XML Security`_)
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.