summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMitch Curtis <mitch.curtis@digia.com>2013-09-27 12:32:28 +0200
committerOswald Buddenhagen <oswald.buddenhagen@digia.com>2013-11-15 19:24:47 +0100
commit779fa9c590a1bf399b34fbf293d8399e61a1e15c (patch)
tree68fad0ae4c15a25a9684eef6834ee2ac290dca47
parentf2c5f33b6bda570f64dcfe07241cf20d54f8954b (diff)
Disallow deep or widely nested entity references.old/5.1
Nested entities with a depth of 2 or more will fail. Entities that fully expand to more than 1024 characters will also fail. Change-Id: I75525bc1edfa796c4db30a5109fe21011ad43a2d Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Lars Knoll <lars.knoll@digia.com> (cherries picked from commits 46a8885ae486e238a39efa5119c2714f328b08e4 and f1053d94f59f053ce4acad9320df14f1fbe4faac)
-rw-r--r--src/xml/sax/qxml.cpp63
-rw-r--r--tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp58
-rw-r--r--tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml12
-rw-r--r--tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml13
-rw-r--r--tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml13
5 files changed, 159 insertions, 0 deletions
diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp
index 0e20041a62..5ddcf2705a 100644
--- a/src/xml/sax/qxml.cpp
+++ b/src/xml/sax/qxml.cpp
@@ -424,6 +424,12 @@ private:
int stringValueLen;
QString emptyStr;
+ // The limit to the amount of times the DTD parsing functions can be called
+ // for the DTD currently being parsed.
+ static const int dtdRecursionLimit = 2;
+ // The maximum amount of characters an entity value may contain, after expansion.
+ static const int entityCharacterLimit = 1024;
+
const QString &string();
void stringClear();
void stringAddC(QChar);
@@ -493,6 +499,8 @@ private:
void parseFailed(ParseFunction where, int state);
void pushParseState(ParseFunction function, int state);
+ bool isExpandedEntityValueTooLarge(QString *errorMessage);
+
Q_DECLARE_PUBLIC(QXmlSimpleReader)
QXmlSimpleReader *q_ptr;
@@ -5035,6 +5043,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype()
}
break;
case Mup:
+ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) {
+ reportParseError(QString::fromLatin1(
+ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
+ return false;
+ }
if (!parseMarkupdecl()) {
parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state);
return false;
@@ -6644,6 +6657,50 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq()
return false;
}
+bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage)
+{
+ QMap<QString, int> literalEntitySizes;
+ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times.
+ QMap<QString, QMap<QString, int> > referencesToOtherEntities;
+ QMap<QString, int> expandedSizes;
+
+ // For every entity, check how many times all entity names were referenced in its value.
+ foreach (QString toSearch, entities.keys()) {
+ // The amount of characters that weren't entity names, but literals, like 'X'.
+ QString leftOvers = entities.value(toSearch);
+ // How many times was entityName referenced by toSearch?
+ foreach (QString entityName, entities.keys()) {
+ for (int i = 0; i < leftOvers.size() && i != -1; ) {
+ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i);
+ if (i != -1) {
+ leftOvers.remove(i, entityName.size() + 2);
+ // The entityName we're currently trying to find was matched in this string; increase our count.
+ ++referencesToOtherEntities[toSearch][entityName];
+ }
+ }
+ }
+ literalEntitySizes[toSearch] = leftOvers.size();
+ }
+
+ foreach (QString entity, referencesToOtherEntities.keys()) {
+ expandedSizes[entity] = literalEntitySizes[entity];
+ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) {
+ const int references = referencesToOtherEntities.value(entity).value(referenceTo);
+ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
+ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
+ }
+
+ if (expandedSizes[entity] > entityCharacterLimit) {
+ if (errorMessage) {
+ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3).");
+ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+ }
+ return true;
+ }
+ }
+ return false;
+}
+
/*
Parse a EntityDecl [70].
@@ -6738,6 +6795,12 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl()
switch (state) {
case EValue:
if ( !entityExist(name())) {
+ QString errorMessage;
+ if (isExpandedEntityValueTooLarge(&errorMessage)) {
+ reportParseError(errorMessage);
+ return false;
+ }
+
entities.insert(name(), string());
if (declHnd) {
if (!declHnd->internalEntityDecl(name(), string())) {
diff --git a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp
index d4c0ff44ca..d6ad8674f3 100644
--- a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp
+++ b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp
@@ -160,6 +160,7 @@ class tst_QXmlSimpleReader : public QObject
void reportNamespace() const;
void reportNamespace_data() const;
void roundtripWithNamespaces() const;
+ void dtdRecursionLimit();
private:
static QDomDocument fromByteArray(const QString &title, const QByteArray &ba, bool *ok);
@@ -770,5 +771,62 @@ void tst_QXmlSimpleReader::roundtripWithNamespaces() const
}
}
+class TestHandler : public QXmlDefaultHandler
+{
+public:
+ TestHandler() :
+ recursionCount(0)
+ {
+ }
+
+ bool internalEntityDecl(const QString &name, const QString &value)
+ {
+ ++recursionCount;
+ return QXmlDefaultHandler::internalEntityDecl(name, value);
+ }
+
+ int recursionCount;
+};
+
+void tst_QXmlSimpleReader::dtdRecursionLimit()
+{
+ QFile file("xmldocs/2-levels-nested-dtd.xml");
+ QVERIFY(file.open(QIODevice::ReadOnly));
+ QXmlSimpleReader xmlReader;
+ {
+ QXmlInputSource *source = new QXmlInputSource(&file);
+ TestHandler handler;
+ xmlReader.setDeclHandler(&handler);
+ xmlReader.setErrorHandler(&handler);
+ QVERIFY(!xmlReader.parse(source));
+ }
+
+ file.close();
+ file.setFileName("xmldocs/1-levels-nested-dtd.xml");
+ QVERIFY(file.open(QIODevice::ReadOnly));
+ {
+ QXmlInputSource *source = new QXmlInputSource(&file);
+ TestHandler handler;
+ xmlReader.setDeclHandler(&handler);
+ xmlReader.setErrorHandler(&handler);
+ QVERIFY(!xmlReader.parse(source));
+ // The error wasn't because of the recursion limit being reached,
+ // it was because the document is not valid.
+ QVERIFY(handler.recursionCount < 2);
+ }
+
+ file.close();
+ file.setFileName("xmldocs/internal-entity-polynomial-attribute.xml");
+ QVERIFY(file.open(QIODevice::ReadOnly));
+ {
+ QXmlInputSource *source = new QXmlInputSource(&file);
+ TestHandler handler;
+ xmlReader.setDeclHandler(&handler);
+ xmlReader.setErrorHandler(&handler);
+ QVERIFY(!xmlReader.parse(source));
+ QCOMPARE(handler.recursionCount, 2);
+ }
+}
+
QTEST_MAIN(tst_QXmlSimpleReader)
#include "tst_qxmlsimplereader.moc"
diff --git a/tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml
new file mode 100644
index 0000000000..0dfc15b165
--- /dev/null
+++ b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!-- Test non-deterministic content model matching.
+
+Entity references are not part of the internal DTD subset (for good reason).
+
+-->
+<!DOCTYPE root [
+<!ELEMENT e0 EMPTY>
+<!ENTITY % e1 "(e0,e0)">
+<!ELEMENT root (%e1;)?>
+]>
+<root/> \ No newline at end of file
diff --git a/tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml
new file mode 100644
index 0000000000..7ec06db85f
--- /dev/null
+++ b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- Test non-deterministic content model matching.
+
+Entity references are not part of the internal DTD subset (for good reason).
+
+-->
+<!DOCTYPE root [
+<!ELEMENT e0 EMPTY>
+<!ENTITY % e1 "(e0,e0)">
+<!ENTITY % e2 "(%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;)">
+<!ELEMENT root (%e2;)?>
+]>
+<root/>
diff --git a/tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml
new file mode 100644
index 0000000000..bbb88f39f6
--- /dev/null
+++ b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- Test polynomial growth of expanded XML.
+ Expansion happens in an attribute. -->
+<!DOCTYPE root [
+<!ELEMENT root EMPTY>
+<!ATTLIST root id CDATA #IMPLIED>
+<!ENTITY e1 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
+<!ENTITY e2 "&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;">
+<!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;">
+<!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;">
+]>
+<root id="&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;"/>
+