diff options
| author | Byron Jones <glob@mozilla.com> | 2015-04-13 08:16:06 +0200 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2015-04-13 08:16:06 +0200 |
| commit | c3252406b334f83d0f2c03c58cee8a8697fc5c16 (patch) | |
| tree | 3f07037a5692dd05d6a51324afe184300e65001b | |
| parent | 6032799c8cd306b7dbdf5958847b371c309bfef3 (diff) | |
| download | bugzilla-c3252406b334f83d0f2c03c58cee8a8697fc5c16.tar.gz bugzilla-c3252406b334f83d0f2c03c58cee8a8697fc5c16.tar.xz | |
Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
r=LpSolit,a=glob
| -rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 8 | ||||
| -rwxr-xr-x | importxml.pl | 3 |
2 files changed, 11 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index f3d95ef3d..03d93b597 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -134,6 +134,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); use Bugzilla::WebService::Util qw(fix_credentials); use Scalar::Util qw(tainted); +sub new { + my $self = shift->SUPER::new(@_); + # Initialise XML::Parser to not expand references to entities, to prevent DoS + require XML::Parser; + $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } )); + return $self; +} + sub deserialize { my $self = shift; diff --git a/importxml.pl b/importxml.pl index 8750c63a1..12831e0b9 100755 --- a/importxml.pl +++ b/importxml.pl @@ -1275,6 +1275,9 @@ my $twig = XML::Twig->new( }, start_tag_handlers => { bugzilla => \&init } ); +# Prevent DoS using the billion laughs attack. +$twig->{NoExpand} = 1; + $twig->parse($xml); my $root = $twig->root; my $maintainer = $root->{'att'}->{'maintainer'}; |