summaryrefslogtreecommitdiffstats
path: root/Bugzilla/WebService
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-04-13 08:16:06 +0200
committerByron Jones <glob@mozilla.com>2015-04-13 08:16:06 +0200
commitc3252406b334f83d0f2c03c58cee8a8697fc5c16 (patch)
tree3f07037a5692dd05d6a51324afe184300e65001b /Bugzilla/WebService
parent6032799c8cd306b7dbdf5958847b371c309bfef3 (diff)
downloadbugzilla-c3252406b334f83d0f2c03c58cee8a8697fc5c16.tar.gz
bugzilla-c3252406b334f83d0f2c03c58cee8a8697fc5c16.tar.xz
Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
r=LpSolit,a=glob
Diffstat (limited to 'Bugzilla/WebService')
-rw-r--r--Bugzilla/WebService/Server/XMLRPC.pm8
1 files changed, 8 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index f3d95ef3d..03d93b597 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -134,6 +134,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
use Bugzilla::WebService::Util qw(fix_credentials);
use Scalar::Util qw(tainted);
+sub new {
+ my $self = shift->SUPER::new(@_);
+ # Initialise XML::Parser to not expand references to entities, to prevent DoS
+ require XML::Parser;
+ $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } ));
+ return $self;
+}
+
sub deserialize {
my $self = shift;