[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)

R. David Murray rdmurray at bitdance.com
Wed Feb 20 23:45:58 CET 2013

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 21 Feb 2013 11:35:23 +1300, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:

Carl Meyer wrote: > An XML parser that follows the XML standard is never safe to expose to > untrusted input.

Does the XML standard really mandate that a conforming parser must blindly download any DTD URL given to it from the real live internet? Somehow I doubt that.

I don't believe it does. The DTD URL is, if I remember correctly, specified as an identifier. The fact that you can often also download the DTD from the location specified by the identifier is a secondary effect.

But, it's been a long time since I looked at XML :)

(Wikipedia says: "Programs for reading documents may not be required to read the external subset.", which would seem to confirm that.)

--David

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list