#527 XML_PARAM_ENTITY_PARSING_NEVER doesn't perform as documented
Version number:2.0.1
Hello,
I recently was working on something related to expat at my work and I found a bug in xmlparse.c with respect to param entity parsing.
Looking through expat.h, I was able to find the handler call for XML_SetParamEntityParsing which gives the ability to disable param entity parsing. I found out that setting param entity parsing to XML_PARAM_ENTITY_PARSING_NEVER doesn't actually not disable param entity parsing which should ameliorate one billion laughs vector. It will attempt to parse the parameter entity when going through doProlog (in xmlparse.c) and go into a recursive loop when it hits the case XML_ROLE_ENTITY_VALUE. The parser will call storeEntityValue which can call itself internally and lead to a vector for the billion lols attack.
I found a one-line change that I think can fix the problem of the billion lols attack vector being around even when XML_ParamEntityParsing is set to XML_PARAM_ENTITY_PARSING_NEVER. Basically, my change will add an additional check to the if statement and ignore processing the entity if the parser is requested not to.
I have attached a patch to xmlparse.c and this should be demonstrated with a simple billion lols xml file.
To demonstrate this bug (and the fix), set up an xml parser with no-ops for the required handlers and include XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_NEVER) when creating it.
Thank you for your time and I hope this can make it in.
Dan
