Hi Jorge,
I brought this up quite some time ago, which is why I have been moving
away from AVG since I was basically ignored here :-) That and AVG's many
false positives. What is worse is, that XML bomb wont hurt anything
anymore, and it can be gotten around AVG as well just by adding a
certain amount of more recursions. I will not post the exact number, but
at some point it will be bypassed.
My thoughts on this is if this problem is fixed, why does there need to
be a test against it anymore other than breaking said fix in the future
and therefore becoming vulnerable again.
Gregg
Jorge Schrauwen wrote:
I'm about to build the x64 binaries for on my website and AVG on my
development machine throws this at me.
Warning: XML Bomb:
srclib/apr-util/test/data/billion-laughs.xml
See attached screenshots, most likely harmless but not a nice welcome
when unpacking the source.
Kind regards
Jorge
