Bug 1031035: xmlrpc can be DoS'd with billion laughs attack

author: Byron Jones <glob@mozilla.com> 2015-04-13 08:16:13 +0200
committer: Byron Jones <glob@mozilla.com> 2015-04-13 08:16:13 +0200
commit: 8342d0f7a04e0956218dbfa687a0f60f358f16da (patch)
tree: 9e608af81c4bcde29eb21c55115263accaf2edc9 /Bugzilla/WebService
parent: cb8e12074cbf97d3df25fe490466bfbd84c65676 (diff)
download: bugzilla-8342d0f7a04e0956218dbfa687a0f60f358f16da.tar.gz
bugzilla-8342d0f7a04e0956218dbfa687a0f60f358f16da.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 69ba4c0d8..834ea60bf 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -140,6 +140,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
 use Bugzilla::WebService::Util qw(fix_credentials);
 use Scalar::Util qw(tainted);
 
+sub new {
+    my $self = shift->SUPER::new(@_);
+    # Initialise XML::Parser to not expand references to entities, to prevent DoS
+    require XML::Parser;
+    $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } ));
+    return $self;
+}
+
 sub deserialize {
     my $self = shift;
author	Byron Jones <glob@mozilla.com>	2015-04-13 08:16:13 +0200
committer	Byron Jones <glob@mozilla.com>	2015-04-13 08:16:13 +0200
commit	8342d0f7a04e0956218dbfa687a0f60f358f16da (patch)
tree	9e608af81c4bcde29eb21c55115263accaf2edc9 /Bugzilla/WebService
parent	cb8e12074cbf97d3df25fe490466bfbd84c65676 (diff)
download	bugzilla-8342d0f7a04e0956218dbfa687a0f60f358f16da.tar.gz bugzilla-8342d0f7a04e0956218dbfa687a0f60f358f16da.tar.xz