[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)

Donald Stufft donald.stufft at gmail.com
Thu Feb 21 00:32:51 CET 2013

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, February 20, 2013 at 6:23 PM, Christian Heimes wrote:

We can add a function to the XML package tree that enables all restrictions:

* limit expansion depths of nested entities * limit total amount of expanded chars * disable external entity expansion * optionally force expat to ignore and reset all DTD information 3rd party users have to disable secure settings explicitly for the current interpreter (although expat limits are process wide and shared across subinterpreters). try: import xml.security except ImportError: # old Python pass else: xml.security.hardenxmlparser()

We've learned nothing from Ruby and their YAML problems. Things need to be safe by default and the unsafe things explicitly enabled. Even smart developers do things wrong (e.g. YAML.load instead of YAML.safe_load) and protecting developers by default should be the path forward. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130220/635e6012/attachment.html>

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list