diff options
author | Byron Jones <glob@mozilla.com> | 2015-04-13 08:16:13 +0200 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2015-04-13 08:16:13 +0200 |
commit | 8342d0f7a04e0956218dbfa687a0f60f358f16da (patch) | |
tree | 9e608af81c4bcde29eb21c55115263accaf2edc9 /Bugzilla | |
parent | cb8e12074cbf97d3df25fe490466bfbd84c65676 (diff) | |
download | bugzilla-8342d0f7a04e0956218dbfa687a0f60f358f16da.tar.gz bugzilla-8342d0f7a04e0956218dbfa687a0f60f358f16da.tar.xz |
Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index 69ba4c0d8..834ea60bf 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -140,6 +140,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); use Bugzilla::WebService::Util qw(fix_credentials); use Scalar::Util qw(tainted); +sub new { + my $self = shift->SUPER::new(@_); + # Initialise XML::Parser to not expand references to entities, to prevent DoS + require XML::Parser; + $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } )); + return $self; +} + sub deserialize { my $self = shift; |