[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)

Skip Montanaro skip at pobox.com
Wed Feb 20 21:53:55 CET 2013

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I'm working on it. The patches need to be discussed as they break > backward compatibility and AFAIK XML standards, too.

That's not very good. XML parsers are supposed to parse XML according to standards. Is the goal to have them actually do that, or just address DDOS issues?

Having read through Christian's mail and several of his references, it seems to me that addressing the DDoS issues is preferable to blindly following a standard that predates the Morris worm by a couple years. Everyone played nice before that watershed event. Heck, back then you could telnet to gnu at prep.ai.mit.edu without a password!

Any incompatibility should have minimal impact. I haven't looked into the defusedxml package to see what limits it introduces to protect against attacks, but it seems that most well-behaved entities will use little, if any, recursion, and result in a size increase of less than a factor of 10 when fully expanded.

Skip

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list