-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Description
XMLParser is based on libxml2, an open-source library developed by hobbyists about 25 years ago. This code has never been up to modern standards and contains multiple unfixed security issues concerning algorithmic complexity. It has always been trivial to mount DoS attacks, making libxml2 consume minutes or hours of CPU time when processing documents of a few megabytes or less in size. This means that XMLParser should never be used to process untrusted input.
I'm aware that Apple is unwilling to contribute to the OSS projects they incorporate in their operating systems. All I'm asking is that you update your documentation and be honest about defects in third-party code. Please make it clear that XMLParser should only be used with trusted input or in a sandbox.