From cacf764754ae22ccee3e5c03a0437cbf1b699e19 Mon Sep 17 00:00:00 2001
From: tomsellers <tomsellers@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 16 Apr 2014 11:56:21 +0000
Subject: [PATCH] Change to citrixxml.lua to improve performance of citrixlua
 library when handling large XML responses containing application lists. 
 Large responses were causing the script to consume 100% CPU for extended
 periods of time.

Reference:
http://seclists.org/nmap-dev/2014/q2/74
---
 CHANGELOG            |  3 +++
 nselib/citrixxml.lua | 29 ++++++++++++++++-------------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 585b98dcd..02b9e3df2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,9 @@ Nmap 6.45 [2014-04-11]
 o NOTE THAT THE CHANGELOG FOR THIS RELEASE IS INCOMPLETE.  We plan to
   finish it soon.
 
+o [NSE] Improved performance of citrixlua library when handling large XML
+  responses containing application lists. [Tom Sellers]
+  
 o [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
   CVE-2014-0160 [Patrik Karlsson]
   
diff --git a/nselib/citrixxml.lua b/nselib/citrixxml.lua
index f6b8df4ca..007d0a7a9 100644
--- a/nselib/citrixxml.lua
+++ b/nselib/citrixxml.lua
@@ -34,19 +34,22 @@ function decode_xml_document(xmldata)
 
   if not xmldata then
     return ""
-  end
-
-  local newstr = xmldata
-
-  for m in xmldata:gmatch("(&#%d+;)") do
-    hexval = m:match("(%d+)")
-
-    if ( hexval ) then
-      newstr = xmldata:gsub(m, string.char(hexval))
-    end
-  end
-
-  return newstr
+  end
+
+  local newstr = xmldata
+  local escaped_val
+
+  while string.match(newstr, "(&#%d+;)" ) do
+    escaped_val = string.match(newstr, "(&#%d+;)")
+    hexval = escaped_val:match("(%d+)")
+
+    if ( hexval ) then
+      newstr, _ = newstr:gsub(escaped_val, string.char(hexval))
+    end
+
+  end
+
+  return newstr
 
 end