Impact
Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input
[{
'foo': [
{ 'bar': [{ '@_V': 'baz' }] }
]
}]
Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?
Patches
Yes in 5.3.8
Workarounds
Use XML builder with preserveOrder:false or check the input data before passing to builder.
References
Are there any links users can visit to find out more?
Impact
Application crashes with stack overflow when user use XML builder with
prserveOrder:truefor following or similar inputCause:
arrToStrwas not validating if the input is an array or a string and treating all non-array values as text content.What kind of vulnerability is it? Who is impacted?
Patches
Yes in 5.3.8
Workarounds
Use XML builder with
preserveOrder:falseor check the input data before passing to builder.References
Are there any links users can visit to find out more?