Mercurial > pidgin
annotate libpurple/tests/test_xmlnode.c @ 31680:c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
billion laughs attack. I think because we specify NULL as the entity
resolver, attempts to define entities in an xml doc just get ignored.
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Wed, 22 Jun 2011 17:43:51 +0000 |
| parents | |
| children | 114a98da1a5f 3828a61c44da |
| rev | line source |
|---|---|
|
31680
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
1 #include <string.h> |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
2 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
3 #include "tests.h" |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
4 #include "../xmlnode.h" |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
5 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
6 /* |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
7 * If we really wanted to test the billion laughs attack we would |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
8 * need to have more than just 4 ha's. But as long as this shorter |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
9 * document fails to parse, the longer one should also fail to parse. |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
10 */ |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
11 START_TEST(test_xmlnode_billion_laughs_attack) |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
12 { |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
13 const char *malicious_xml_doc = "<!DOCTYPE root [ <!ENTITY ha \"Ha !\"><!ENTITY ha2 \"&ha; &ha;\"><!ENTITY ha3 \"&ha2; &ha2;\"> ]><root>&ha3;</root>"; |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
14 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
15 /* Uncomment this line if you want to see the error message given by |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
16 the parser for the above XML document */ |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
17 /* purple_debug_set_enabled(TRUE); */ |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
18 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
19 fail_if(xmlnode_from_str(malicious_xml_doc, -1), |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
20 "xmlnode_from_str() returned an XML tree, but we didn't want it to"); |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
21 } |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
22 END_TEST |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
23 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
24 Suite * |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
25 xmlnode_suite(void) |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
26 { |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
27 Suite *s = suite_create("Utility Functions"); |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
28 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
29 TCase *tc = tcase_create("xmlnode"); |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
30 tcase_add_test(tc, test_xmlnode_billion_laughs_attack); |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
31 suite_add_tcase(s, tc); |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
32 |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
33 return s; |
|
c8f91310bfbf
Add a silly little check to make sure our xml parser isn't vulnerable to the
Mark Doliner <mark@kingant.net>
parents:
diff
changeset
|
34 } |