Simon Willison’s Weblog

Subscribe
Atom feed for billionlaughs

2 items tagged “billionlaughs”

2008

Tip: Configure SAX parsers for secure processing. Explains the billion laughs attack, among others.

# 23rd August 2008, 11:12 am / billionlaughs, xml, security, sax, elliotte-rusty-harold

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming.

# 23rd August 2008, 11:11 am / rails, ruby, rexml, xml, security, dos, billionlaughs