Changelog · aosp-new/main · CodeLinaro / la / platform / external / gturri-aXMLRPC · GitLab

Fix CWE-611 · 456752eb

g.turri authored Jan 25, 2024

This commit fixes the issue described on
https://cwe.mitre.org/data/definitions/611.html

Nb: it's mostly the same as ad6615b3 but
with an added reference to org.apache.xerces in order to avoid the
AbstractMethodError that was experienced by users back then.

Nb2: writting down the payload with which I tested this patch, in case I
need to run this test again in the future:

    <?xml version="1.0"?>
    <!DOCTYPE replace [<!ENTITY ent SYSTEM "http://localhost/malware"> ]>
    <methodResponse>
        <params>
            <param>
               <value><string>&ent;</string></value>
            </param>
        </params>
    </methodResponse>

456752eb

To find the state of this project's repository at the time of any of these versions, check out the tags.