On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: > It seems that mod_dontdothat creates an Expat XML parser without > inhibiting XML entity expansion for the internal DTD subset. This > might cause a denial-of-service issue when parsing client-submitted > XML. > > There are other pieces of code in Subversion which also create Expat > parsers this way, but they are in the client code, so there is less > exposure. > > May I file an issue for this?
Sure. If you'd rather not expose details publicly, you can instead submit a report as described here: http://subversion.apache.org/security/
