subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@elego.de>
Subject Re: mod_dontdothat does not inhibit XML entity expansion
Date Sat, 23 Apr 2016 16:31:39 GMT
On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
> It seems that mod_dontdothat creates an Expat XML parser without
> inhibiting XML entity expansion for the internal DTD subset.  This
> might cause a denial-of-service issue when parsing client-submitted
> XML.
> 
> There are other pieces of code in Subversion which also create Expat
> parsers this way, but they are in the client code, so there is less
> exposure.
> 
> May I file an issue for this?

Sure.

If you'd rather not expose details publicly, you can instead submit
a report as described here: http://subversion.apache.org/security/

Mime
View raw message