xml-dev - Re: [xml-dev] Malicious XML

Re: [xml-dev] Malicious XML

[ Lists Home | Date Index | Thread Index ]

To: "Richard Tobin" <richard@cogsci.ed.ac.uk>,<xml-dev@lists.xml.org>
Subject: Re: [xml-dev] Malicious XML
From: "Karl Waclawek" <karl@waclawek.net>
Date: Fri, 15 Nov 2002 10:08:13 -0500
References: <200211151501.PAA11843@mcpherson.cogsci.ed.ac.uk>


> >Any chance of some details of just what it is in the internal subset 
> >which triggers this behaviour, and how?
> 
> You can easily construct a few entities that expand to a huge result.
> Depending on how your parser returns things, this may use lots of
> memory or merely use up lots of cpu time.  There is an example at
> 
>   http://www.cogsci.ed.ac.uk/~richard/billion-laughs.xml
> 
> I don't recommend loading this file into a browser.

This is exactly the attack reported to us.
So I don't need to post it anymore.

For Expat and MSXML this is a CPU hog only.
However, you can turn it into a memory hog on these parsers
by using an external subset and PE entities/references instead
of GE references/entities (except for the last one).

Karl

References:
- Re: [xml-dev] Malicious XML
  - From: Richard Tobin <richard@cogsci.ed.ac.uk>

Prev by Date: RE: [xml-dev] dtds, schemas, xhtml, and multimedia technologies
Next by Date: RE: [xml-dev] dtds, schemas, xhtml, and multimedia technologies
Previous by thread: Re: [xml-dev] Malicious XML
Next by thread: Re: [xml-dev] Malicious XML
Index(es):
- Date
- Thread