Re: [xml] Runtime parser limit for maximum size of text nodes

From: Daniel Veillard <veillard redhat com>
To: "Stacy W. Smith" <stacy acm org>
Cc: Daniel Veillard <veillard gmail com>, "xml gnome org" <xml gnome org>, David Kilzer <ddkilzer apple com>
Subject: Re: [xml] Runtime parser limit for maximum size of text nodes
Date: Thu, 22 Jun 2017 22:29:51 +0200

On Thu, Jun 22, 2017 at 08:40:23AM -0600, Stacy W. Smith wrote:

On 21/06/2017 23:41, Daniel Veillard wrote:

  I see only one person asking for this. Like any change to the
structure (even adding at the end) this has
potential risks. IMHO not worth the risk. If the person has such a
specific need he can simply recompile
libxml2 with a different value of the constant for that piece of code.


If your looking for feedback, I would also like to see this change committed. I have a project which uses 
libxml2 indirectly via the Python lxml library. In this environment, it is not practical/feasible to have 
users recompile libxml2.


  No limit on text node and one can be DoS'ed, there is many kind
of recursive attacks on XML, and libxml2 uses a combination of "entities
density" and text node size to try to catch those, it's complex.
  By offloading the choice of the maximum text size to the application
developper you then put them in charge of doing the checking, i.e. too
big a size and the app can be DoS'ed in practice, it just depends on the
computer speed and memory anount. They need to be aware of that.
  Your change would not change the default behaviour, that's a good point.
The change of the size of the parsing context can bite some apps, that
happen in the past when I did this, maybe they have all been corrected,
but I would doubt it's gonna be 100% without side effects.
  Except for Inkscape which usually doesn't load its images from random
web resources, I think use of XML_PARSE_HUGE to avoid the node text size
limit is a serious mistake (at least for web apps and stacks), but
I would not be too optimist about the actual testing of the apps after they
pick a new one for DoS, too many vectors, too complex...

  Purely at the code review patch looks fine, I would add a comment that
changing the text node max size has an influence on DoS detection by
libxml2 and doing so while parsing untrusted source should get some security
attention.
  Since the default is preserved, I'm not too worried, it's mostly the
structure size change which may break on users.

  ACK

Daniel

-- 
Daniel Veillard      | Red Hat Developers Tools http://developer.redhat.com/
veillard redhat com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/

Follow-Ups:
- Re: [xml] Runtime parser limit for maximum size of text nodes
  - From: Nick Wellnhofer

References:
- [xml] Runtime parser limit for maximum size of text nodes
  - From: Nick Wellnhofer
- Re: [xml] Runtime parser limit for maximum size of text nodes
  - From: Nick Wellnhofer
- Re: [xml] Runtime parser limit for maximum size of text nodes
  - From: Stacy W. Smith

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]