开发者

Prevent xml bomb XercesDOMParser - C++

开发者 https://www.devze.com 2023-02-22 07:04 出处:网络
I am using XercesDOMParser to read an xml file in linux (c++), I 开发者_如何转开发want to prevent xml bomb (Billion laughs) so I set these properties:

I am using XercesDOMParser to read an xml file in linux (c++), I 开发者_如何转开发want to prevent xml bomb (Billion laughs) so I set these properties:

parser->setDoNamespaces(true)
parser->setDisableDefaultEntityResolution(true)
parser->setEntityResolver(NULL)
parser->setSkipDTDValidation(true)

However, it doesn't help and bomb still remain. Do you know how to prevent it (I have to use xerces with DOM only)

10x!


There is no direct way to prevent entity expansion, and thus prevent the billion laughs attack. This is because billion laughs attacks can be well-formed XML, and XercesDOMParser is a pretty strict implementation of DOM. However, you can prevent the billion laughs attack in Xerces by adding a SecurityManager.

SecurityManager sm;
sm.setEntityExpansionLimit(100);

parser->setSecurityManager(&sm);

If you add that to your code, Xerces will throw a SAXParseException when the parser has expanded more than the number of Entities you set, in this case 100. This will prevent the billion laughs.


Or if you want to suppress the use of Entities altogether you can implement overrides on the DefaultHandler. In the declaration:

class MyHandler: public Xerces::DefaultHandler
{
   <...>
    void internalEntityDecl(
        const XMLCh* const name,
        const XMLCh* const value) override;


    void externalEntityDecl(
        const XMLCh* const name,
        const XMLCh* const publicId,
        const XMLCh* const systemId) override;
}

and in the definition:

void
XercesXMLHandler::internalEntityDecl(
    const XMLCh* const name,
    const XMLCh* const value )
{
    FailBecauseEntity( name );
}

void
XercesXMLHandler::externalEntityDecl(
    const XMLCh* const name,
    const XMLCh* const publicId,
    const XMLCh* const systemId )
{
    FailBecauseEntity( name );
}
0

精彩评论

暂无评论...
验证码 换一张
取 消