From 46a8885ae486e238a39efa5119c2714f328b08e4 Mon Sep 17 00:00:00 2001
From: Mitch Curtis <mitch.curtis@digia.com>
Date: Fri, 27 Sep 2013 12:32:28 +0200
Subject: Disallow deep or widely nested entity references.

Nested references with a depth of 2 or greater will fail. References
that partially expand to greater than 1024 characters will also fail.

Change-Id: Id4e49d6f7cf51e3a247efdb4c6c7c9bd9b223f6e
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
---
 .../sax/qxmlsimplereader/tst_qxmlsimplereader.cpp  | 58 ++++++++++++++++++++++
 .../xmldocs/1-levels-nested-dtd.xml                | 12 +++++
 .../xmldocs/2-levels-nested-dtd.xml                | 13 +++++
 .../internal-entity-polynomial-attribute.xml       | 13 +++++
 4 files changed, 96 insertions(+)
 create mode 100644 tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml
 create mode 100644 tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml
 create mode 100644 tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml

(limited to 'tests/auto')

diff --git a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp
index f09fbff6c4..57d078ba65 100644
--- a/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp
+++ b/tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp
@@ -160,6 +160,7 @@ class tst_QXmlSimpleReader : public QObject
         void reportNamespace() const;
         void reportNamespace_data() const;
         void roundtripWithNamespaces() const;
+        void dtdRecursionLimit();
 
     private:
         static QDomDocument fromByteArray(const QString &title, const QByteArray &ba, bool *ok);
@@ -755,5 +756,62 @@ void tst_QXmlSimpleReader::roundtripWithNamespaces() const
     }
 }
 
+class TestHandler : public QXmlDefaultHandler
+{
+public:
+    TestHandler() :
+        recursionCount(0)
+    {
+    }
+
+    bool internalEntityDecl(const QString &name, const QString &value)
+    {
+        ++recursionCount;
+        return QXmlDefaultHandler::internalEntityDecl(name, value);
+    }
+
+    int recursionCount;
+};
+
+void tst_QXmlSimpleReader::dtdRecursionLimit()
+{
+    QFile file("xmldocs/2-levels-nested-dtd.xml");
+    QVERIFY(file.open(QIODevice::ReadOnly));
+    QXmlSimpleReader xmlReader;
+    {
+        QXmlInputSource *source = new QXmlInputSource(&file);
+        TestHandler handler;
+        xmlReader.setDeclHandler(&handler);
+        xmlReader.setErrorHandler(&handler);
+        QVERIFY(!xmlReader.parse(source));
+    }
+
+    file.close();
+    file.setFileName("xmldocs/1-levels-nested-dtd.xml");
+    QVERIFY(file.open(QIODevice::ReadOnly));
+    {
+        QXmlInputSource *source = new QXmlInputSource(&file);
+        TestHandler handler;
+        xmlReader.setDeclHandler(&handler);
+        xmlReader.setErrorHandler(&handler);
+        QVERIFY(!xmlReader.parse(source));
+        // The error wasn't because of the recursion limit being reached,
+        // it was because the document is not valid.
+        QVERIFY(handler.recursionCount < 2);
+    }
+
+    file.close();
+    file.setFileName("xmldocs/internal-entity-polynomial-attribute.xml");
+    QVERIFY(file.open(QIODevice::ReadOnly));
+    {
+        QXmlInputSource *source = new QXmlInputSource(&file);
+        TestHandler handler;
+        xmlReader.setDeclHandler(&handler);
+        xmlReader.setErrorHandler(&handler);
+        QVERIFY(!xmlReader.parse(source));
+        QVERIFY(handler.recursionCount == 1);
+    }
+}
+
 QTEST_MAIN(tst_QXmlSimpleReader)
 #include "tst_qxmlsimplereader.moc"
diff --git a/tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml
new file mode 100644
index 0000000000..0dfc15b165
--- /dev/null
+++ b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!-- Test non-deterministic content model matching.
+
+Entity references are not part of the internal DTD subset (for good reason).
+
+-->
+<!DOCTYPE root [
+<!ELEMENT e0 EMPTY>
+<!ENTITY % e1 "(e0,e0)">
+<!ELEMENT root (%e1;)?>
+]>
+<root/>
\ No newline at end of file
diff --git a/tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml
new file mode 100644
index 0000000000..7ec06db85f
--- /dev/null
+++ b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- Test non-deterministic content model matching.
+
+Entity references are not part of the internal DTD subset (for good reason).
+
+-->
+<!DOCTYPE root [
+<!ELEMENT e0 EMPTY>
+<!ENTITY % e1 "(e0,e0)">
+<!ENTITY % e2 "(%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;)">
+<!ELEMENT root (%e2;)?>
+]>
+<root/>
diff --git a/tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml
new file mode 100644
index 0000000000..bbb88f39f6
--- /dev/null
+++ b/tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- Test polynomial growth of expanded XML.
+     Expansion happens in an attribute. -->
+<!DOCTYPE root [
+<!ELEMENT root EMPTY>
+<!ATTLIST root id CDATA #IMPLIED>
+<!ENTITY e1 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
+<!ENTITY e2 "&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;">
+<!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;">
+<!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;">
+]>
+<root id="&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;"/>
+
-- 
cgit v1.2.3