From users-return-24600-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org  Sat Apr 23 21:50:53 2016
Return-Path: <users-return-24600-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org>
X-Original-To: apmail-subversion-users-archive@minotaur.apache.org
Delivered-To: apmail-subversion-users-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 01EE019E2A
	for <apmail-subversion-users-archive@minotaur.apache.org>; Sat, 23 Apr 2016 21:50:53 +0000 (UTC)
Received: (qmail 31817 invoked by uid 500); 23 Apr 2016 21:50:52 -0000
Delivered-To: apmail-subversion-users-archive@subversion.apache.org
Received: (qmail 31781 invoked by uid 500); 23 Apr 2016 21:50:52 -0000
Mailing-List: contact users-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@subversion.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@subversion.apache.org>
List-Post: <mailto:users@subversion.apache.org>
List-Id: <users.subversion.apache.org>
Delivered-To: mailing list users@subversion.apache.org
Received: (qmail 31770 invoked by uid 99); 23 Apr 2016 21:50:52 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 23 Apr 2016 21:50:52 +0000
Received: by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org, from userid 3316)
	id 6A2531A0140; Sat, 23 Apr 2016 21:50:52 +0000 (UTC)
Date: Sat, 23 Apr 2016 21:50:49 +0000
From: Daniel Shahaf <danielsh@apache.org>
To: Florian Weimer <fw@deneb.enyo.de>, users@subversion.apache.org
Subject: Re: mod_dontdothat does not inhibit XML entity expansion
Message-ID: <20160423215049.GB5310@tarsus.local2>
References: <8737qcial0.fsf@mid.deneb.enyo.de>
 <20160423163139.GR16494@ted.stsp.name>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160423163139.GR16494@ted.stsp.name>
User-Agent: Mutt/1.5.21 (2010-09-15)

Stefan Sperling wrote on Sat, Apr 23, 2016 at 18:31:39 +0200:
> On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote:
> > It seems that mod_dontdothat creates an Expat XML parser without
> > inhibiting XML entity expansion for the internal DTD subset.  This
> > might cause a denial-of-service issue when parsing client-submitted
> > XML.
> > 
> > There are other pieces of code in Subversion which also create Expat
> > parsers this way, but they are in the client code, so there is less
> > exposure.
> > 
> > May I file an issue for this?
> 
> Sure.

You can simply email the details to dev@subversion.apache.org, in
addition to or instead of opening a jira ticket [jira is under
a temporary lockdown right now].

Thanks,

Daniel