Cinder

  1. Bug #1100282
  2. Comment #22

Comment 22 for bug 1100282

Revision history for this message
Joshua Harlow (harlowja) wrote : Re: DoS through XML entity expansion

This example causes the expat library to turn off entity expansion.

Looking at the c code there is an odd section that this causes to run.

void XMLCALL
XML_SetDefaultHandler(XML_Parser parser,
                      XML_DefaultHandler handler)
{
  defaultHandler = handler;
  defaultExpandInternalEntities = XML_FALSE;
}

Basically be setting the default handler to anything it will cause expansion to stop.
Normal xml documents seem to flow through just fine.