登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 46

吴磊磊 / qt5-qtbase

forked from src-openEuler / qt5-qtbase 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
CVE-2015-9541.patch 6.43 KB
一键复制 编辑 原始数据 按行查看 历史
jackie_wu 提交于 2020-09-21 20:38 . fix CVE-2015-9541
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
From fd4be84d23a0db4186cb42e736a9de3af722c7f7 Mon Sep 17 00:00:00 2001

From: Lars Knoll <lars.knoll@qt.io>

Date: Wed, 26 Feb 2020 10:42:10 +0100

Subject: Add an expansion limit for entities



Recursively defined entities can easily exhaust all available

memory. Limit entity expansion to a default of 4096 characters to

avoid DoS attacks when a user loads untrusted content.



Added a setter and getter to allow modifying the expansion limit.



[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now by default

limit the expansion of entities to 4096 characters. Documents where

a single entity expands to more characters than the limit are not

considered well formed. The limit is there to avoid DoS attacks through

recursively expanding entities when loading untrusted content. The

limit can be changed through the QXmlStreamReader::setEntityExpansionLimit()

method.



Fixes: QTBUG-47417

Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9

Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>

Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>

---

 src/corelib/serialization/qxmlstream.cpp           | 36 ++++++++++++++++++

 src/corelib/serialization/qxmlstream.g             | 14 ++++++-

 src/corelib/serialization/qxmlstream.h             |  2 +

 src/corelib/serialization/qxmlstream_p.h           | 14 ++++++-

 .../serialization/qxmlstream/tst_qxmlstream.cpp    | 44 +++++++++++++++++++++-

 5 files changed, 106 insertions(+), 4 deletions(-)



diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp

index 7ff87885a5..d7fb0d0d41 100644

--- a/src/corelib/serialization/qxmlstream.cpp

+++ b/src/corelib/serialization/qxmlstream.cpp

@@ -2041,6 +2041,42 @@ QStringRef QXmlStreamReader::dtdSystemId() const

    return QStringRef();

 }

 

+/*!

+  \since 5.15

+

+  Returns the maximum amount of characters a single entity is

+  allowed to expand into. If a single entity expands past the

+  given limit, the document is not considered well formed.

+

+  \sa setEntityExpansionLimit

+*/

+int QXmlStreamReader::entityExpansionLimit() const

+{

+    Q_D(const QXmlStreamReader);

+    return d->entityExpansionLimit;

+}

+

+/*!

+  \since 5.15

+

+  Sets the maximum amount of characters a single entity is

+  allowed to expand into to \a limit. If a single entity expands

+  past the given limit, the document is not considered well formed.

+

+  The limit is there to prevent DoS attacks when loading unknown

+  XML documents where recursive entity expansion could otherwise

+  exhaust all available memory.

+

+  The default value for this property is 4096 characters.

+

+  \sa entityExpansionLimit

+*/

+void QXmlStreamReader::setEntityExpansionLimit(int limit)

+{

+    Q_D(QXmlStreamReader);

+    d->entityExpansionLimit = limit;

+}

+

 /*!  If the tokenType() is \l StartElement, this function returns the

   element's namespace declarations. Otherwise an empty vector is

   returned.

diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g

index 12ecc9bdb2..b623de9505 100644

--- a/src/corelib/serialization/qxmlstream.g

+++ b/src/corelib/serialization/qxmlstream.g

@@ -285,9 +285,19 @@ public:

     QHash<QStringView, Entity> entityHash;

     QHash<QStringView, Entity> parameterEntityHash;

     QXmlStreamSimpleStack<Entity *>entityReferenceStack;

+    int entityExpansionLimit = 4096;

+    int entityLength = 0;

     inline bool referenceEntity(Entity &entity) {

         if (entity.isCurrentlyReferenced) {

-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));

+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));

+            return false;

+        }

+        // entityLength represents the amount of additional characters the

+        // entity expands into (can be negative for e.g. &amp;). It's used to

+        // avoid DoS attacks through recursive entity expansions

+        entityLength += entity.value.size() - entity.name.size() - 2;

+        if (entityLength > entityExpansionLimit) {

+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));

             return false;

         }

         entity.isCurrentlyReferenced = true;

@@ -838,6 +848,8 @@ entity_done ::= ENTITY_DONE;

 /.

         case $rule_number:

             entityReferenceStack.pop()->isCurrentlyReferenced = false;

+            if (entityReferenceStack.isEmpty())

+                entityLength = 0;

             clearSym();

         break;

 ./

diff --git a/src/corelib/serialization/qxmlstream.h b/src/corelib/serialization/qxmlstream.h

index 7d0aa64570..c8647e0465 100644

--- a/src/corelib/serialization/qxmlstream.h

+++ b/src/corelib/serialization/qxmlstream.h

@@ -426,6 +426,8 @@ public:

     QStringRef dtdPublicId() const;

     QStringRef dtdSystemId() const;

 

+    int entityExpansionLimit() const;

+    void setEntityExpansionLimit(int limit);

 

     enum Error {

         NoError,

diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h

index 9c94e6d434..103b123b10 100644

--- a/src/corelib/serialization/qxmlstream_p.h

+++ b/src/corelib/serialization/qxmlstream_p.h

@@ -774,9 +774,19 @@ public:

     QHash<QStringView, Entity> entityHash;

     QHash<QStringView, Entity> parameterEntityHash;

     QXmlStreamSimpleStack<Entity *>entityReferenceStack;

+    int entityExpansionLimit = 4096;

+    int entityLength = 0;

     inline bool referenceEntity(Entity &entity) {

         if (entity.isCurrentlyReferenced) {

-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));

+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));

+            return false;

+        }

+        // entityLength represents the amount of additional characters the

+        // entity expands into (can be negative for e.g. &amp;). It's used to

+        // avoid DoS attacks through recursive entity expansions

+        entityLength += entity.value.size() - entity.name.size() - 2;

+        if (entityLength > entityExpansionLimit) {

+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));

             return false;

         }

         entity.isCurrentlyReferenced = true;

@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()

 

         case 10:

             entityReferenceStack.pop()->isCurrentlyReferenced = false;

+            if (entityReferenceStack.isEmpty())

+                entityLength = 0;

             clearSym();

         break;
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/wu-leilei/qt5-qtbase.git
git@gitee.com:wu-leilei/qt5-qtbase.git
wu-leilei
qt5-qtbase
qt5-qtbase
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部
344bd9b3 5694891 D2dac590 5694891