[Zope-Checkins] SVN: Zope/trunk/ Defend against minidom-based DoS in webdav.
Tres Seaver
cvs-admin at zope.org
Wed Feb 20 23:43:40 UTC 2013
Log message for revision 129555:
Defend against minidom-based DoS in webdav.
Patch from Christian Heimes.
Addresses LP #1114688.
Changed:
_U Zope/trunk/
U Zope/trunk/doc/CHANGES.rst
U Zope/trunk/src/webdav/tests/test_xmltools.py
U Zope/trunk/src/webdav/xmltools.py
-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst 2013-02-20 23:41:00 UTC (rev 129554)
+++ Zope/trunk/doc/CHANGES.rst 2013-02-20 23:43:40 UTC (rev 129555)
@@ -11,6 +11,9 @@
Bugs Fixed
++++++++++
+- LP #1114688: Defend against minidom-based DoS in webdav. (Patch from
+ Christian Heimes).
+
- LP #978980: Protect views of ZPT source with 'View Management Screens'
permision.
Modified: Zope/trunk/src/webdav/tests/test_xmltools.py
===================================================================
--- Zope/trunk/src/webdav/tests/test_xmltools.py 2013-02-20 23:41:00 UTC (rev 129554)
+++ Zope/trunk/src/webdav/tests/test_xmltools.py 2013-02-20 23:43:40 UTC (rev 129555)
@@ -1,19 +1,16 @@
import unittest
-class TestNode(unittest.TestCase):
+class NodeTests(unittest.TestCase):
def _getTargetClass(self):
from webdav.xmltools import Node
return Node
def _makeOne(self, wrapped):
- klass = self._getTargetClass()
- return klass(wrapped)
+ return self._getTargetClass()(wrapped)
def test_remove_namespace_attrs(self):
- """ A method added in Zope 2.11 which removes any attributes
- which appear to be XML namespace declarations """
- class DummyMinidomNode:
+ class DummyMinidomNode(object):
def __init__(self):
self.attributes = {'xmlns:foo':'foo', 'xmlns':'bar', 'a':'b'}
def hasAttributes(self):
@@ -27,7 +24,36 @@
self.assertEqual(wrapped.attributes, {'a':'b'})
+class XmlParserTests(unittest.TestCase):
+
+ def _getTargetClass(self):
+ from webdav.xmltools import XmlParser
+ return XmlParser
+
+ def _makeOne(self):
+ return self._getTargetClass()()
+
+ def test_parse_rejects_entities(self):
+ XML = '\n'.join([
+ '<!DOCTYPE dt_test [',
+ '<!ENTITY entity "1234567890" >',
+ ']>',
+ '<test>&entity;</test>'
+ ])
+ parser = self._makeOne()
+ self.assertRaises(ValueError, parser.parse, XML)
+
+ def test_parse_rejects_doctype_wo_entities(self):
+ XML = '\n'.join([
+ '<!DOCTYPE dt_test []>',
+ '<test/>'
+ ])
+ parser = self._makeOne()
+ self.assertRaises(ValueError, parser.parse, XML)
+
+
def test_suite():
return unittest.TestSuite((
- unittest.makeSuite(TestNode),
- ))
+ unittest.makeSuite(NodeTests),
+ unittest.makeSuite(XmlParserTests),
+ ))
Modified: Zope/trunk/src/webdav/xmltools.py
===================================================================
--- Zope/trunk/src/webdav/xmltools.py 2013-02-20 23:41:00 UTC (rev 129554)
+++ Zope/trunk/src/webdav/xmltools.py 2013-02-20 23:43:40 UTC (rev 129555)
@@ -35,7 +35,9 @@
from StringIO import StringIO
from xml.dom import minidom
-from xml.sax.saxutils import escape as _escape, unescape as _unescape
+from xml.sax.expatreader import ExpatParser
+from xml.sax.saxutils import escape as _escape
+from xml.sax.saxutils import unescape as _unescape
escape_entities = {'"': '"',
"'": ''',
@@ -170,6 +172,36 @@
writer.write(value)
return writer.getvalue()
+
+class ProtectedExpatParser(ExpatParser):
+ """ See https://bugs.launchpad.net/zope2/+bug/1114688
+ """
+ def __init__(self, forbid_dtd=True, forbid_entities=True,
+ *args, **kwargs):
+ # Python 2.x old style class
+ ExpatParser.__init__(self, *args, **kwargs)
+ self.forbid_dtd = forbid_dtd
+ self.forbid_entities = forbid_entities
+
+ def start_doctype_decl(self, name, sysid, pubid, has_internal_subset):
+ raise ValueError("Inline DTD forbidden")
+
+ def entity_decl(self, entityName, is_parameter_entity, value, base, systemId, publicId, notationName):
+ raise ValueError("<!ENTITY> forbidden")
+
+ def unparsed_entity_decl(self, name, base, sysid, pubid, notation_name):
+ # expat 1.2
+ raise ValueError("<!ENTITY> forbidden")
+
+ def reset(self):
+ ExpatParser.reset(self)
+ if self.forbid_dtd:
+ self._parser.StartDoctypeDeclHandler = self.start_doctype_decl
+ if self.forbid_entities:
+ self._parser.EntityDeclHandler = self.entity_decl
+ self._parser.UnparsedEntityDeclHandler = self.unparsed_entity_decl
+
+
class XmlParser:
""" Simple wrapper around minidom to support the required
interfaces for zope.webdav
@@ -181,5 +213,5 @@
pass
def parse(self, data):
- self.dom = minidom.parseString(data)
+ self.dom = minidom.parseString(data, parser=ProtectedExpatParser())
return Node(self.dom)
More information about the Zope-Checkins
mailing list