head	1.2;
access;
symbols
	RELEASE_7_3_0:1.1
	RELEASE_8_0_0:1.1;
locks; strict;
comment	@# @;


1.2
date	2010.05.06.23.10.19;	author pgollucci;	state dead;
branches;
next	1.1;

1.1
date	2009.06.08.05.11.09;	author pgollucci;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- Regenerate patch files with make makepatch for they have
  piled up and additional patches conflict.
  This also will help when we try to syncronize www/apache20&www/apache22

With Hat:   apache@@
@
text
@Taken from
  http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch

--- srclib/apr-util/xml/apr_xml.c	2009/03/24 11:12:27	757729
+++ srclib/apr-util/xml/apr_xml.c	2009/06/03 14:26:19	781403
@@@@ -347,6 +347,25 @@@@
     return APR_SUCCESS;
 }
 
+#if XML_MAJOR_VERSION > 1
+/* Stop the parser if an entity declaration is hit. */
+static void entity_declaration(void *userData, const XML_Char *entityName,
+                               int is_parameter_entity, const XML_Char *value,
+                               int value_length, const XML_Char *base,
+                               const XML_Char *systemId, const XML_Char *publicId,
+                               const XML_Char *notationName)
+{
+    apr_xml_parser *parser = userData;
+
+    XML_StopParser(parser->xp, XML_FALSE);
+}
+#else
+/* A noop default_handler. */
+static void default_handler(void *userData, const XML_Char *s, int len)
+{
+}
+#endif
+
 APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
 {
     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
@@@@ -372,6 +391,19 @@@@
     XML_SetElementHandler(parser->xp, start_handler, end_handler);
     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
 
+    /* Prevent the "billion laughs" attack against expat by disabling
+     * internal entity expansion.  With 2.x, forcibly stop the parser
+     * if an entity is declared - this is safer and a more obvious
+     * failure mode.  With older versions, installing a noop
+     * DefaultHandler means that internal entities will be expanded as
+     * the empty string, which is also sufficient to prevent the
+     * attack. */
+#if XML_MAJOR_VERSION > 1
+    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
+#else
+    XML_SetDefaultHandler(parser->xp, default_handler);
+#endif
+
     return parser;
 }
 
@


1.1
log
@- Backport apr-util security fixes pending the 2.2.12 release (forthcomming)

Security:       http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
PR:             ports/135310
Submitted by:   Eygene Ryabinkin <rea-fbsd@@codelabs.ru>
With Hat:       apache
@
text
@@

