From 46a8885ae486e238a39efa5119c2714f328b08e4 Mon Sep 17 00:00:00 2001 From: Mitch Curtis Date: Fri, 27 Sep 2013 12:32:28 +0200 Subject: Disallow deep or widely nested entity references. Nested references with a depth of 2 or greater will fail. References that partially expand to greater than 1024 characters will also fail. Change-Id: Id4e49d6f7cf51e3a247efdb4c6c7c9bd9b223f6e Reviewed-by: Richard J. Moore Reviewed-by: Lars Knoll --- .../sax/qxmlsimplereader/tst_qxmlsimplereader.cpp | 58 ++++++++++++++++++++++ 1 file changed, 58 insertions(+) (limited to 'tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp') diff --git a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp index f09fbff6c4..57d078ba65 100644 --- a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp +++ b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp @@ -160,6 +160,7 @@ class tst_QXmlSimpleReader : public QObject void reportNamespace() const; void reportNamespace_data() const; void roundtripWithNamespaces() const; + void dtdRecursionLimit(); private: static QDomDocument fromByteArray(const QString &title, const QByteArray &ba, bool *ok); @@ -755,5 +756,62 @@ void tst_QXmlSimpleReader::roundtripWithNamespaces() const } } +class TestHandler : public QXmlDefaultHandler +{ +public: + TestHandler() : + recursionCount(0) + { + } + + bool internalEntityDecl(const QString &name, const QString &value) + { + ++recursionCount; + return QXmlDefaultHandler::internalEntityDecl(name, value); + } + + int recursionCount; +}; + +void tst_QXmlSimpleReader::dtdRecursionLimit() +{ + QFile file("xmldocs/2-levels-nested-dtd.xml"); + QVERIFY(file.open(QIODevice::ReadOnly)); + QXmlSimpleReader xmlReader; + { + QXmlInputSource *source = new QXmlInputSource(&file); + TestHandler handler; + xmlReader.setDeclHandler(&handler); + xmlReader.setErrorHandler(&handler); + QVERIFY(!xmlReader.parse(source)); + } + + file.close(); + file.setFileName("xmldocs/1-levels-nested-dtd.xml"); + QVERIFY(file.open(QIODevice::ReadOnly)); + { + QXmlInputSource *source = new QXmlInputSource(&file); + TestHandler handler; + xmlReader.setDeclHandler(&handler); + xmlReader.setErrorHandler(&handler); + QVERIFY(!xmlReader.parse(source)); + // The error wasn't because of the recursion limit being reached, + // it was because the document is not valid. + QVERIFY(handler.recursionCount < 2); + } + + file.close(); + file.setFileName("xmldocs/internal-entity-polynomial-attribute.xml"); + QVERIFY(file.open(QIODevice::ReadOnly)); + { + QXmlInputSource *source = new QXmlInputSource(&file); + TestHandler handler; + xmlReader.setDeclHandler(&handler); + xmlReader.setErrorHandler(&handler); + QVERIFY(!xmlReader.parse(source)); + QVERIFY(handler.recursionCount == 1); + } +} + QTEST_MAIN(tst_QXmlSimpleReader) #include "tst_qxmlsimplereader.moc" -- cgit v1.2.3 From f1053d94f59f053ce4acad9320df14f1fbe4faac Mon Sep 17 00:00:00 2001 From: Mitch Curtis Date: Mon, 11 Nov 2013 14:27:40 +0100 Subject: Fully expand entities to ensure deep or widely nested ones fail parsing With 46a8885ae486e238a39efa5119c2714f328b08e4, we failed when parsing entities whose partially expanded size was greater than 1024 characters. That was not enough, so now we fully expand all entities. Amends 46a8885ae486e238a39efa5119c2714f328b08e4. Change-Id: Ie80720d7e04d825eb4eebf528140eb94806c02b1 Reviewed-by: Richard J. Moore Reviewed-by: Lars Knoll --- tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp') diff --git a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp index 57d078ba65..ed909946e6 100644 --- a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp +++ b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp @@ -809,7 +809,7 @@ void tst_QXmlSimpleReader::dtdRecursionLimit() xmlReader.setDeclHandler(&handler); xmlReader.setErrorHandler(&handler); QVERIFY(!xmlReader.parse(source)); - QVERIFY(handler.recursionCount == 1); + QCOMPARE(handler.recursionCount, 2); } } -- cgit v1.2.3