I was asked this by a friend, and I couldn't find any information about whether this vulnerability exists in nxml-mode as current or not. I specifically mean this billion laughs attack.
Asked
Active
Viewed 95 times
1 Answers
6
Well that's incredibly easy to test, right?
Fire up a new Emacs instance, open a new XML file, paste in the code, see whether Emacs explodes.
(Spoiler: Yes, it does.)
phils
- 48,657
- 3
- 76
- 115
-
FWIW, Emacs' pure Emacs Lisp XML parser (`xml-parse-region`) does so as well, whereas libxml (`libxml-parse-region`) refuses to parse it and silently fails with `nil`. – Jul 20 '16 at 15:09
-
I would expect anything to be vulnerable to this unless it's been hardened against it. libxml is one of these exceptions. – wasamasa Jul 20 '16 at 16:59