On Wed, Aug 20, 2008 at 07:00:51PM +0200, Daniel Veillard wrote: > Bad news, when checking against recursive entities expansion problem > back when it was made official (c.f. the billion laught attack circa > 2004) I had checked for the normal recursion, but when happening in > an attribute avlue the resource consumption is way faster and the > recursion detection in place is not sufficient to catch the problem. > > Basically when this happen within an attribute just checking for > a recursion depth is not sufficient, and the only good method I could > find was to count the number of entities replacement taking place while > parsing a given document, and drop parsing after half a million > substitution. I think it's a fair default processand what the patches > below implements for various libxml2 versions, but i can understand that > in some case that may be problematic. So i intend in the next release > (2.7.0 hopefully available soon) to add a parser flag removing the > hardcoded limits (there is also a maximum document depth in place). > > Distributions have been made aware of the problem for a couple of > weeks and updates should be available soon from normal update channels > I'm updating SVN with the fix too,
FWIW, this patch broke binary compatibility with librsvg, which, foolishly, create xmlEntity objects "by hand" with a malloc(sizeof(xmlEntity)), in rsvg_entity_decl, which is sets as SAX entity handler. I hope there aren't any more surprises with other libraries or programs. Mike _______________________________________________ xml mailing list, project page http://xmlsoft.org/ [email protected] http://mail.gnome.org/mailman/listinfo/xml
