代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/qt5-qtbase 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From fd4be84d23a0db4186cb42e736a9de3af722c7f7 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Wed, 26 Feb 2020 10:42:10 +0100
Subject: Add an expansion limit for entities
Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.
Added a setter and getter to allow modifying the expansion limit.
[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now by default
limit the expansion of entities to 4096 characters. Documents where
a single entity expands to more characters than the limit are not
considered well formed. The limit is there to avoid DoS attacks through
recursively expanding entities when loading untrusted content. The
limit can be changed through the QXmlStreamReader::setEntityExpansionLimit()
method.
Fixes: QTBUG-47417
Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
src/corelib/serialization/qxmlstream.cpp | 36 ++++++++++++++++++
src/corelib/serialization/qxmlstream.g | 14 ++++++-
src/corelib/serialization/qxmlstream.h | 2 +
src/corelib/serialization/qxmlstream_p.h | 14 ++++++-
.../serialization/qxmlstream/tst_qxmlstream.cpp | 44 +++++++++++++++++++++-
5 files changed, 106 insertions(+), 4 deletions(-)
diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
index 7ff87885a5..d7fb0d0d41 100644
--- a/src/corelib/serialization/qxmlstream.cpp
+++ b/src/corelib/serialization/qxmlstream.cpp
@@ -2041,6 +2041,42 @@ QStringRef QXmlStreamReader::dtdSystemId() const
return QStringRef();
}
+/*!
+ \since 5.15
+
+ Returns the maximum amount of characters a single entity is
+ allowed to expand into. If a single entity expands past the
+ given limit, the document is not considered well formed.
+
+ \sa setEntityExpansionLimit
+*/
+int QXmlStreamReader::entityExpansionLimit() const
+{
+ Q_D(const QXmlStreamReader);
+ return d->entityExpansionLimit;
+}
+
+/*!
+ \since 5.15
+
+ Sets the maximum amount of characters a single entity is
+ allowed to expand into to \a limit. If a single entity expands
+ past the given limit, the document is not considered well formed.
+
+ The limit is there to prevent DoS attacks when loading unknown
+ XML documents where recursive entity expansion could otherwise
+ exhaust all available memory.
+
+ The default value for this property is 4096 characters.
+
+ \sa entityExpansionLimit
+*/
+void QXmlStreamReader::setEntityExpansionLimit(int limit)
+{
+ Q_D(QXmlStreamReader);
+ d->entityExpansionLimit = limit;
+}
+
/*! If the tokenType() is \l StartElement, this function returns the
element's namespace declarations. Otherwise an empty vector is
returned.
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
index 12ecc9bdb2..b623de9505 100644
--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
@@ -285,9 +285,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -838,6 +848,8 @@ entity_done ::= ENTITY_DONE;
/.
case $rule_number:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
./
diff --git a/src/corelib/serialization/qxmlstream.h b/src/corelib/serialization/qxmlstream.h
index 7d0aa64570..c8647e0465 100644
--- a/src/corelib/serialization/qxmlstream.h
+++ b/src/corelib/serialization/qxmlstream.h
@@ -426,6 +426,8 @@ public:
QStringRef dtdPublicId() const;
QStringRef dtdSystemId() const;
+ int entityExpansionLimit() const;
+ void setEntityExpansionLimit(int limit);
enum Error {
NoError,
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 9c94e6d434..103b123b10 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()
case 10:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。