« Erlang standard library: public_key

Erlang standard library: xmerl

Background

The xmerl_scan module returns XML attribute names and tag names as atoms. When used on untrusted user input, or even trusted but highly dynamic input, this can lead to atom exhaustion and therefore a DoS vulnerability (see Preventing atom exhaustion).

The xmerl_sax_parser module by default expands both internal and external entities. Any entity expansion can lead to exponential expansion through a payload called an XML bomb, such as the ‘billion laughs’ attack. Allowing entity expansion in untrusted input is therefore a DoS vulnerability.

Entity expansion can be disabled by raising an exception on ‘internalEntityDecl’ or ‘externalEntityDecl’ events in the SAX callback function.

Expanding external entities carries additional risks, potentially leading to DoS or information leakage. These issues are not specific to Erlang or xmerl; please search for ‘XXE attack’ or ‘XML External Entity attack’ for further information.

Next: Boolean coercion in Elixir »