summaryrefslogtreecommitdiff
path: root/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
diff options
context:
space:
mode:
Diffstat (limited to 'www/apache22/files/patch-apr-fix-apr_xml-expat-attack')
-rw-r--r--www/apache22/files/patch-apr-fix-apr_xml-expat-attack51
1 files changed, 0 insertions, 51 deletions
diff --git a/www/apache22/files/patch-apr-fix-apr_xml-expat-attack b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
deleted file mode 100644
index 2040f082ea2d..000000000000
--- a/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
+++ /dev/null
@@ -1,51 +0,0 @@
-Taken from
- http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
-
---- srclib/apr-util/xml/apr_xml.c 2009/03/24 11:12:27 757729
-+++ srclib/apr-util/xml/apr_xml.c 2009/06/03 14:26:19 781403
-@@ -347,6 +347,25 @@
- return APR_SUCCESS;
- }
-
-+#if XML_MAJOR_VERSION > 1
-+/* Stop the parser if an entity declaration is hit. */
-+static void entity_declaration(void *userData, const XML_Char *entityName,
-+ int is_parameter_entity, const XML_Char *value,
-+ int value_length, const XML_Char *base,
-+ const XML_Char *systemId, const XML_Char *publicId,
-+ const XML_Char *notationName)
-+{
-+ apr_xml_parser *parser = userData;
-+
-+ XML_StopParser(parser->xp, XML_FALSE);
-+}
-+#else
-+/* A noop default_handler. */
-+static void default_handler(void *userData, const XML_Char *s, int len)
-+{
-+}
-+#endif
-+
- APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
- {
- apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
-@@ -372,6 +391,19 @@
- XML_SetElementHandler(parser->xp, start_handler, end_handler);
- XML_SetCharacterDataHandler(parser->xp, cdata_handler);
-
-+ /* Prevent the "billion laughs" attack against expat by disabling
-+ * internal entity expansion. With 2.x, forcibly stop the parser
-+ * if an entity is declared - this is safer and a more obvious
-+ * failure mode. With older versions, installing a noop
-+ * DefaultHandler means that internal entities will be expanded as
-+ * the empty string, which is also sufficient to prevent the
-+ * attack. */
-+#if XML_MAJOR_VERSION > 1
-+ XML_SetEntityDeclHandler(parser->xp, entity_declaration);
-+#else
-+ XML_SetDefaultHandler(parser->xp, default_handler);
-+#endif
-+
- return parser;
- }
-
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-20 01:27:46 +0000