[Expat-discuss] A way to handle malicious XML with Expat / was Re: Handling malicious XML with Expat - what options do I have?

[Sebastian Pipping]

Talking to a friend of mine gave some new ideas.
Monitoring the final size of an entity alone is not
enough:

 - The entity could evaluate to zero length
   and still take "forever" to compute
   (== billion laughs with "" instead of "ha")

 - Part of the content multiplication could be moved
   to the document's body and therefore be hidden
   from monitoring

So I have added two more checks:
- A limit on the total lookups to form the value
  of an entity
- A limit on the ratio between input and output


The three constants in the code to play with are

   MAX_BYTES_PER_ENTITY_VALUE    = 100000
   MAX_LOOKUPS_PER_ENTITY_VALUE  = 30
   MAX_INPUT_FACTOR              = 20

I'd be interested to know if these values still work
for people working with very large documents.



Sebastian

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: demo_2_0.cpp
URL: <http://mail.libexpat.org/pipermail/expat-discuss/attachments/20080913/f54f67f5/attachment-0001.txt>