# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1308764631 0
# Node ID c8f91310bfbf2116f334a147cdad611c01655b7c
# Parent  ec1e6b5893a06c41159b762343bb08849f335d41
Add a silly little check to make sure our xml parser isn't vulnerable to the
billion laughs attack.  I think because we specify NULL as the entity
resolver, attempts to define entities in an xml doc just get ignored.

diff -r ec1e6b5893a0 -r c8f91310bfbf libpurple/tests/Makefile.am
--- a/libpurple/tests/Makefile.am	Tue Jun 21 07:43:07 2011 +0000
+++ b/libpurple/tests/Makefile.am	Wed Jun 22 17:43:51 2011 +0000
@@ -17,6 +17,7 @@
 		test_oscar_util.c \
 		test_yahoo_util.c \
 		test_util.c \
+		test_xmlnode.c \
 		$(top_builddir)/libpurple/util.h
 
 check_libpurple_CFLAGS=\
diff -r ec1e6b5893a0 -r c8f91310bfbf libpurple/tests/check_libpurple.c
--- a/libpurple/tests/check_libpurple.c	Tue Jun 21 07:43:07 2011 +0000
+++ b/libpurple/tests/check_libpurple.c	Wed Jun 22 17:43:51 2011 +0000
@@ -91,6 +91,7 @@
 	srunner_add_suite(sr, oscar_util_suite());
 	srunner_add_suite(sr, yahoo_util_suite());
 	srunner_add_suite(sr, util_suite());
+	srunner_add_suite(sr, xmlnode_suite());
 
 	/* make this a libpurple "ui" */
 	purple_check_init();
diff -r ec1e6b5893a0 -r c8f91310bfbf libpurple/tests/test_xmlnode.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/libpurple/tests/test_xmlnode.c	Wed Jun 22 17:43:51 2011 +0000
@@ -0,0 +1,34 @@
+#include <string.h>
+
+#include "tests.h"
+#include "../xmlnode.h"
+
+/*
+ * If we really wanted to test the billion laughs attack we would
+ * need to have more than just 4 ha's.  But as long as this shorter
+ * document fails to parse, the longer one should also fail to parse.
+ */
+START_TEST(test_xmlnode_billion_laughs_attack)
+{
+	const char *malicious_xml_doc = "<!DOCTYPE root [ <!ENTITY ha \"Ha !\"><!ENTITY ha2 \"&ha; &ha;\"><!ENTITY ha3 \"&ha2; &ha2;\"> ]><root>&ha3;</root>";
+
+	/* Uncomment this line if you want to see the error message given by
+	   the parser for the above XML document */
+	/* purple_debug_set_enabled(TRUE); */
+
+	fail_if(xmlnode_from_str(malicious_xml_doc, -1),
+			"xmlnode_from_str() returned an XML tree, but we didn't want it to");
+}
+END_TEST
+
+Suite *
+xmlnode_suite(void)
+{
+	Suite *s = suite_create("Utility Functions");
+
+	TCase *tc = tcase_create("xmlnode");
+	tcase_add_test(tc, test_xmlnode_billion_laughs_attack);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff -r ec1e6b5893a0 -r c8f91310bfbf libpurple/tests/tests.h
--- a/libpurple/tests/tests.h	Tue Jun 21 07:43:07 2011 +0000
+++ b/libpurple/tests/tests.h	Wed Jun 22 17:43:51 2011 +0000
@@ -16,6 +16,7 @@
 Suite * oscar_util_suite(void);
 Suite * yahoo_util_suite(void);
 Suite * util_suite(void);
+Suite * xmlnode_suite(void);
 
 /* helper macros */
 #define assert_int_equal(expected, actual) { \