aboutsummaryrefslogtreecommitdiffstats
path: root/LICENSES/AGPL-3.0-or-later.txt
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2024-07-07 10:36:50 +0200
committerHarald Eilertsen <haraldei@anduin.net>2024-07-07 10:36:50 +0200
commit3744f1eb8a85e5d55e9de8d616845c800fe39273 (patch)
tree745e4a92cde8a640f809988b976867dc4b15f207 /LICENSES/AGPL-3.0-or-later.txt
parent0387da273779bd16bba74da4ac4384cbe78ca484 (diff)
downloadvolse-webtrap-3744f1eb8a85e5d55e9de8d616845c800fe39273.tar.gz
volse-webtrap-3744f1eb8a85e5d55e9de8d616845c800fe39273.tar.bz2
volse-webtrap-3744f1eb8a85e5d55e9de8d616845c800fe39273.zip
Switch to useing XMLReader to parse XML payloads.
XMLParser would expand entities by default, which could make us susceptible both to XXE attacks, and the billion laughs attack. By default XMLReader does _not_ expand entities, so it's a safer choice. This also changes the XmlRpcMethod::parse() function to throw a runtime exception if the XML payload could not be parsed, and to return null if the payload does not contain a valid <methodName> element. In cases where we're unable to parse the payload as a valid XML-RPC request, we fall back to saving the full request info as before.
Diffstat (limited to 'LICENSES/AGPL-3.0-or-later.txt')
0 files changed, 0 insertions, 0 deletions