Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 04 Mar 2014 15:45:55 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: XML entity processing hardening

I'm in contact with an upstream for an XML processing library who do not 
want to disable entity processing for the embedded DTD subset.

What are recommended practices if you have to do full entity processing, 
but still want to avoid DoS (CPU and memory issues)?

Here's what I came up with:

CPU and memory are separate concerns because depending on the 
implementation, empty entity references may not result in memory 
consumption, but they may still need impossible large amounts of CPU 
time to process.  However, I think it is possible to address the CPU 
aspect purely with memory accounting if we pretend that every entity 
reference expands to at least one character, even if it is empty.

Apart from that, I think it is sufficient to approximate the character 
count in fully-expanded serialized XML content.  This "memory cost" 
would have to memoized for each entity, and counted during entity 
expansion itself and eventual document generation.  During parsing, the 
cost encountered is compared against a pre-computed limit.

The upper cost limit I suggest is 10 times the document size (perhaps 
including the content of external entities, if enabled and parsed, not 
entirely sure about that), plus a fixed baseline of (say) 1 MiB.  These 
numbers are obviously totally arbitrary, but hopefully, they grant 
sufficient flexibility.

-- 
Florian Weimer / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.