neutron

  1. Bug #1100282
  2. Comment #40

Comment 40 for bug 1100282

Revision history for this message
Christian Heimes (heimes) wrote : Re: DoS through XML entity expansion

Two quicks comments.

1) It's sufficient and a little bit faster to write:

class ExpatParserNoEntity(ExpatParser):
    def reset(self):
        ExpatParser.reset(self)
        self._parser.DefaultHandler = None

None disables the feature completely

2) You should definitely disable entity expansion in LXML. Although libxml2 protects from excessive exponential expansion it's still vulnerable to quadratic blowup. I'm in contact with a libxml2 developer.