[Expat-discuss] Handling malicious XML with Expat - what options do I have?

[Karl Waclawek]

Nick MacDonald wrote:
> Sebastian:
>
> DoS prevention is virtually impossible to do perfectly... you'll end
> up spending all your time on the effort and never get meaningful work
> done...  so you have to find the reasonable trade off's that make
> things fairly secure but still leave your system usable.  In this
> vain, sanitizing your input is probably the best bang for your buck...
> backed up by some "over limit" detection in your code.
>
> I haven't spent any time on this particular topic, and although I have
> heard of the "million laughs" attack, I am not well versed in XML
> attacks...  but the obvious answer to me is to employ some sort of XML
> sanity checking logic as a pre-parsing step.

As far as I know the standard approach to this attack is to turn of DTD
processing. I don't remember anymore if this can be done properly with
Expat, but I would look at these APIs:
- XML_SetParamEntityParsing
- XML_SetDefaultHandler
- XML_SetExternalEntityRefHandler

The proper approach would be to extend Expat's memory allocation
functions to accept an extra callback parameter (application supplied),
so that memory usage can be tracked. We did talk about that, but never got
around to it, also because it would break Expat's API.

Karl