in reply to Loading a Local File
in thread XML::Parser Tutorial


Anyone facing xml bomb issue with the below mentioned code which was discussed above?

my $parser = new XML::Parser ( Handlers => { # Creates our parser object Start => \&hdl_start, End => \&hdl_end, Char => \&hdl_char, Default => \&hdl_def, } ); ... $parser->parse($fileStream);
It would be very helpful if anyone could help me to resolve this xml bomb issue..

Is xml bomb issue applicable for this XML::Parser module? Can anyone shed some light on this?

-- Nagalakshmi

Replies are listed 'Best First'.
Re^2: Loading a Local File
by Corion (Pope) on Jan 04, 2018 at 12:07 UTC

    What you call "xml bomb" is most likely the XML Entity Expansion attack.

    This is most easily prevented by not expanding entities, or not expanding them recursively.

    To enable that, see the XML::Parser documentation, especially the NoExpand flag and the handlers for external and other entities.

    In those, you get to decide whether to fetch them and whether to expand them. If an entity expands to more entities, consider whether to expand them or not.