14 Mar
2025
14 Mar
'25
9:29 p.m.
On Fri, 2025-03-14 at 16:41 +0100, Nico Verwer (Rakensi) wrote:
The latest release says: "Entities: expansion limit exceeded or recursive definitions found." No more billion laughs!
Note that this attack affects every language with the ability to make new objects by joining strings, including JavaScript (which imposes a similar limit).
For example, in XQuery,
let $s1 := ":-) :-) :-)", $s2 := $s1 || $s1 || $s1 || $s1 || $s1 || $s1, $s3 := $s2 || $s2 || $s2 || $s2 || $s2 || $s2 return $s3 || $s3
(probably you have to go a bit furtherbut you see the idea).
A public-facing page that accepts XPath, XQuery or XSLT, should have limits on memory usage, e.g. with setrlimit on Linux or Unix systems (e.g. using the bash ulimit command).
--
Liam Quin, https://www.delightfulcomputing.com/
Available for XML/Document/Information Architecture/XSLT/
XSL/XQuery/Web/Text Processing/A11Y training, work & consulting.
Barefoot Web-slave, antique illustrations: http://www.fromoldbooks.org