From c3252406b334f83d0f2c03c58cee8a8697fc5c16 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Mon, 13 Apr 2015 14:16:06 +0800
Subject: Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
 r=LpSolit,a=glob

---
 Bugzilla/WebService/Server/XMLRPC.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'Bugzilla/WebService')

diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index f3d95ef3d..03d93b597 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -134,6 +134,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
 use Bugzilla::WebService::Util qw(fix_credentials);
 use Scalar::Util qw(tainted);
 
+sub new {
+    my $self = shift->SUPER::new(@_);
+    # Initialise XML::Parser to not expand references to entities, to prevent DoS
+    require XML::Parser;
+    $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } ));
+    return $self;
+}
+
 sub deserialize {
     my $self = shift;
 
-- 
cgit v1.2.3-24-g4f1b