Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-24 Thread Florian Weimer
* Daniel Shahaf: > You can simply email the details to d...@subversion.apache.org, in > addition to or instead of opening a jira ticket [jira is under > a temporary lockdown right now]. Right, and it's still suspended. I will post to dev@.

Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Daniel Shahaf
Stefan Sperling wrote on Sat, Apr 23, 2016 at 18:31:39 +0200: > On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: > > It seems that mod_dontdothat creates an Expat XML parser without > > inhibiting XML entity expansion for the internal DTD subset. This > > might cause a denial-of-ser

Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Florian Weimer
* Stefan Sperling: > On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: >> It seems that mod_dontdothat creates an Expat XML parser without >> inhibiting XML entity expansion for the internal DTD subset. This >> might cause a denial-of-service issue when parsing client-submitted >> X

Re: mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Stefan Sperling
On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: > It seems that mod_dontdothat creates an Expat XML parser without > inhibiting XML entity expansion for the internal DTD subset. This > might cause a denial-of-service issue when parsing client-submitted > XML. > > There are other p

mod_dontdothat does not inhibit XML entity expansion

2016-04-23 Thread Florian Weimer
It seems that mod_dontdothat creates an Expat XML parser without inhibiting XML entity expansion for the internal DTD subset. This might cause a denial-of-service issue when parsing client-submitted XML. There are other pieces of code in Subversion which also create Expat parsers this way, but th