Comment 26 for bug 1100282
Revision history for this message
| Doug Hellmann (doug-hellmann) wrote Re: DoS through XML entity expansion | #26 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
@Thierry, Based on the informal conversation I had with Jesse Noller yesterday I definitely recommend contacting the security team. Given that they are working on some sort of patch already, they may have done analysis that tells them this is an issue with the stdlib. At the very least the example cases uncovered by this bug report could give them more tests for that patch. If it turns out the solution is better runtime configuration, we may be able to influence their default settings or the API for configuring the parser.
In any case, Jesse strongly encouraged us to talk to them. I would do it, but it would be better for someone with stronger knowledge of the issue to have that conversation.