From: Byron Jones <glob@mozilla.com>
Date: Mon, 13 Apr 2015 06:16:10 +0000 (+0800)
Subject: Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
X-Git-Tag: bugzilla-5.0rc3~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ca129b9c3ddab54df2e3c1f268b424028e20261;p=thirdparty%2Fbugzilla.git

Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
r=LpSolit,a=glob
---

diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index a49ac20339..56e4dbe58d 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -131,6 +131,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
 use Bugzilla::WebService::Util qw(fix_credentials);
 use Scalar::Util qw(tainted);
 
+sub new {
+    my $self = shift->SUPER::new(@_);
+    # Initialise XML::Parser to not expand references to entities, to prevent DoS
+    require XML::Parser;
+    $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } ));
+    return $self;
+}
+
 sub deserialize {
     my $self = shift;
 
diff --git a/importxml.pl b/importxml.pl
index 8750c63a11..12831e0b94 100755
--- a/importxml.pl
+++ b/importxml.pl
@@ -1275,6 +1275,9 @@ my $twig = XML::Twig->new(
     },
     start_tag_handlers => { bugzilla => \&init }
 );
+# Prevent DoS using the billion laughs attack.
+$twig->{NoExpand} = 1;
+
 $twig->parse($xml);
 my $root       = $twig->root;
 my $maintainer = $root->{'att'}->{'maintainer'};