From: Byron Jones <glob@mozilla.com>
Date: Tue, 14 Apr 2015 16:36:17 +0000 (+0800)
Subject: Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
X-Git-Tag: release-5.1.1~280
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdd9c47cc031109dc606e99fc3bc424f0f6521a3;p=thirdparty%2Fbugzilla.git

Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
r=LpSolit,a=glob
---

diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 03d93b5977..c28c3e10cb 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -138,7 +138,8 @@ sub new {
     my $self = shift->SUPER::new(@_);
     # Initialise XML::Parser to not expand references to entities, to prevent DoS
     require XML::Parser;
-    $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } ));
+    my $parser = XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } );
+    $self->{_parser}->parser($parser, $parser);
     return $self;
 }