projects / qtbase-opensource-src.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9a3fad2) | patch
add an expansion limit for entities
authorDebian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Wed, 19 Aug 2020 17:40:32 +0000 (18:40 +0100)
committerDmitry Shachnev <mitya57@debian.org>
Wed, 19 Aug 2020 17:40:32 +0000 (18:40 +0100)
commite8c148b30faf4a46e4d53c91e7b3a38e6e8156a8
tree94f458c57c7796e1d32619ac8333093bc4a1b91ftree | snapshot
parent9a3fad23d0e2cd022032a9a52c5ac63cad350faacommit | diff
add an expansion limit for entities

Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=fd4be84d23a0db41
Last-Update: 2020-02-27

Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.

Added a setter and getter to allow modifying the expansion limit.

QXmlStreamReader does now by default limit the expansion of entities
to 4096 characters. Documents where a single entity expands to more
characters than the limit are not considered well formed. The limit
is there to avoid DoS attacks through recursively expanding entities
when loading untrusted content. The limit can be changed through the
QXmlStreamReader::setEntityExpansionLimit() method.

Gbp-Pq: Name CVE-2015-9541.diff
src/corelib/serialization/qxmlstream.cpp diff | blob | history
src/corelib/serialization/qxmlstream.g diff | blob | history
src/corelib/serialization/qxmlstream.h diff | blob | history
src/corelib/serialization/qxmlstream_p.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.