diff options
| author | Lars Knoll <lars.knoll@qt.io> | 2020-02-26 10:42:10 +0100 |
|---|---|---|
| committer | Lars Knoll <lars.knoll@qt.io> | 2020-03-25 05:10:58 +0000 |
| commit | f432c08882ffebe5074ea28de871559a98a4d094 (patch) | |
| tree | 01b8810b0cf9f2a2ef819604c551bdc92319bdc7 /dist/changes-5.12.8 | |
| parent | ce2d68ebe1aefeae78ff2fd8ec5ff7e20790ef69 (diff) | |
Add an expansion limit for entities
Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.
[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now
limit the expansion of entities to 4096 characters. Documents where
a single entity expands to more characters than the limit are not
considered well formed. The limit is there to avoid DoS attacks through
recursively expanding entities when loading untrusted content. Qt 5.15
will add methods that allow changing that limit.
Fixes: QTBUG-47417
Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Diffstat (limited to 'dist/changes-5.12.8')
0 files changed, 0 insertions, 0 deletions