diff options
| author | Byron Jones <glob@mozilla.com> | 2015-04-13 14:16:10 +0800 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2015-04-13 14:16:10 +0800 |
| commit | 2ca129b9c3ddab54df2e3c1f268b424028e20261 (patch) | |
| tree | 8737d54dbf6081a29c896ec77c12c1de959b6d58 /Bugzilla/WebService/Server/XMLRPC.pm | |
| parent | 05c0a40a304e28aad4c379b02f94a147182f44d1 (diff) | |
| download | bugs-2ca129b9c3ddab54df2e3c1f268b424028e20261.tar bugs-2ca129b9c3ddab54df2e3c1f268b424028e20261.tar.gz bugs-2ca129b9c3ddab54df2e3c1f268b424028e20261.tar.bz2 bugs-2ca129b9c3ddab54df2e3c1f268b424028e20261.tar.xz bugs-2ca129b9c3ddab54df2e3c1f268b424028e20261.zip | |
Bug 1031035: xmlrpc can be DoS'd with billion laughs attack
r=LpSolit,a=glob
Diffstat (limited to 'Bugzilla/WebService/Server/XMLRPC.pm')
| -rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index a49ac2033..56e4dbe58 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -131,6 +131,14 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); use Bugzilla::WebService::Util qw(fix_credentials); use Scalar::Util qw(tainted); +sub new { + my $self = shift->SUPER::new(@_); + # Initialise XML::Parser to not expand references to entities, to prevent DoS + require XML::Parser; + $self->{_parser}->parser(parser => XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } )); + return $self; +} + sub deserialize { my $self = shift; |