I wrote a 4KB request similar to the above that took about 10 minutes to consume > 1 GB server memory.
Thierry's suggestion fixes the DoS vulnerability, but then the same request will still return a 500 as the subsequent code doesn't know how to deal with XML Entities.
The attached patch completely ignores XML entities, comments, and processing instructions -- the sample request above now results in a quick 401 Unauthorized, as expected.
I wrote a 4KB request similar to the above that took about 10 minutes to consume > 1 GB server memory.
Thierry's suggestion fixes the DoS vulnerability, but then the same request will still return a 500 as the subsequent code doesn't know how to deal with XML Entities.
The attached patch completely ignores XML entities, comments, and processing instructions -- the sample request above now results in a quick 401 Unauthorized, as expected.