Bug 1031035: xmlrpc can be DoS'd with billion laughs attack

r=LpSolit a=justdave

Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
8beabdc1 · Byron Jones · Frédéric Buclin · 79b334dc · 8beabdc1 · 8beabdc1
Commit 8beabdc1 authored Aug 29, 2015 by Byron Jones Committed by Frédéric Buclin Aug 29, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

XMLRPC.pm Bugzilla/WebService/Server/XMLRPC.pm +9 -0

importxml.pl importxml.pl +3 -0

No files found.
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -96,6 +96,15 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
 use Bugzilla::WebService::Util qw(fix_credentials);
 use Scalar::Util qw(tainted);

+sub new {
+    my $self = shift->SUPER::new(@_);
+    # Initialise XML::Parser to not expand references to entities, to prevent DoS
+    require XML::Parser;
+    my $parser = XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } );
+    $self->{_parser}->parser($parser, $parser);
+    return $self;
+}
+
 sub deserialize {
    my $self = shift;


--- a/importxml.pl
+++ b/importxml.pl
@@ -1264,6 +1264,9 @@ my $twig = XML::Twig->new(
    },
    start_tag_handlers => { bugzilla => \&init }
 );
+# Prevent DoS using the billion laughs attack.
+$twig->{NoExpand} = 1;
+
 $twig->parse($xml);
 my $root       = $twig->root;
 my $maintainer = $root->{'att'}->{'maintainer'};