diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2022-12-21 05:15:51 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2022-12-21 20:20:11 +0100 |
commit | 046f99c543a1b82ba17c896c351176956331da73 (patch) | |
tree | b105e5f59ccec8484c06fc267e37deb95cf80d79 /test | |
parent | fafa02520903753adce0df195e8a605ec98cfc97 (diff) | |
download | libxml2-046f99c543a1b82ba17c896c351176956331da73.tar.gz |
testrecurse: Add lol_param.xml
Add test case contributed by Sebastian Pipping for CVE-2021-3541.
Diffstat (limited to 'test')
-rw-r--r-- | test/recurse/lol_param.xml | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/test/recurse/lol_param.xml b/test/recurse/lol_param.xml new file mode 100644 index 00000000..f6279868 --- /dev/null +++ b/test/recurse/lol_param.xml @@ -0,0 +1,63 @@ +<?xml version="1.0"?> +<!-- + Copyright (C) 2020 Sebastian Pipping <sebastian@pipping.org> + v3.1 2020-06-21, not (yet) to be published + + "Parameter Laughs", i.e. variant of Billion Laughs Attack + using parameter entities the other way around + + Use of "%pe24;" below makes the XML processor (e.g. "xmlwf -p < file.xml" or + "xmllint file.xml > /dev/null") take 3 to 12 seconds on my machine. + Increase to "%pe25;" and beyond carefully: use of "%pe40;" makes my machine + need a hard reset. + + Note that unlike libxml2, libexpat does not have any protection against + billion laughs attacks to this day, so it's not a new vulnerability + with regard to libexpat. Upcoming release libexpat 2.4.0 will have + protection against this family of attacks. +--> +<!DOCTYPE r [ + <!ENTITY % pe_1 "<!---->"> + <!ENTITY % pe_2 "%pe_1;<!---->%pe_1;"> + <!ENTITY % pe_3 "%pe_2;<!---->%pe_2;"> + <!ENTITY % pe_4 "%pe_3;<!---->%pe_3;"> + <!ENTITY % pe_5 "%pe_4;<!---->%pe_4;"> + <!ENTITY % pe_6 "%pe_5;<!---->%pe_5;"> + <!ENTITY % pe_7 "%pe_6;<!---->%pe_6;"> + <!ENTITY % pe_8 "%pe_7;<!---->%pe_7;"> + <!ENTITY % pe_9 "%pe_8;<!---->%pe_8;"> + <!ENTITY % pe10 "%pe_9;<!---->%pe_9;"> + <!ENTITY % pe11 "%pe10;<!---->%pe10;"> + <!ENTITY % pe12 "%pe11;<!---->%pe11;"> + <!ENTITY % pe13 "%pe12;<!---->%pe12;"> + <!ENTITY % pe14 "%pe13;<!---->%pe13;"> + <!ENTITY % pe15 "%pe14;<!---->%pe14;"> + <!ENTITY % pe16 "%pe15;<!---->%pe15;"> + <!ENTITY % pe17 "%pe16;<!---->%pe16;"> + <!ENTITY % pe17 "%pe16;<!---->%pe16;"> + <!ENTITY % pe18 "%pe17;<!---->%pe17;"> + <!ENTITY % pe19 "%pe18;<!---->%pe18;"> + <!ENTITY % pe20 "%pe19;<!---->%pe19;"> + <!ENTITY % pe21 "%pe20;<!---->%pe20;"> + <!ENTITY % pe22 "%pe21;<!---->%pe21;"> + <!ENTITY % pe23 "%pe22;<!---->%pe22;"> + <!ENTITY % pe24 "%pe23;<!---->%pe23;"> + <!ENTITY % pe25 "%pe24;<!---->%pe24;"> + <!ENTITY % pe26 "%pe25;<!---->%pe25;"> + <!ENTITY % pe27 "%pe26;<!---->%pe26;"> + <!ENTITY % pe28 "%pe27;<!---->%pe27;"> + <!ENTITY % pe29 "%pe28;<!---->%pe28;"> + <!ENTITY % pe30 "%pe29;<!---->%pe29;"> + <!ENTITY % pe31 "%pe30;<!---->%pe30;"> + <!ENTITY % pe32 "%pe31;<!---->%pe31;"> + <!ENTITY % pe33 "%pe32;<!---->%pe32;"> + <!ENTITY % pe34 "%pe33;<!---->%pe33;"> + <!ENTITY % pe35 "%pe34;<!---->%pe34;"> + <!ENTITY % pe36 "%pe35;<!---->%pe35;"> + <!ENTITY % pe37 "%pe36;<!---->%pe36;"> + <!ENTITY % pe38 "%pe37;<!---->%pe37;"> + <!ENTITY % pe39 "%pe38;<!---->%pe38;"> + <!ENTITY % pe40 "%pe39;<!---->%pe39;"> + %pe24; <!-- not at full potential, increase towards "%pe40;" carefully --> +]> +<r/> |