[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)

Fred Drake fred at fdrake.net
Wed Feb 20 23:56:15 CET 2013

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 20, 2013 at 5:45 PM, R. David Murray <rdmurray at bitdance.com> wrote:

(Wikipedia says: "Programs for reading documents may not be required to read the external subset.", which would seem to confirm that.)

Validating parsers are required to read the external subset; this doesn't apply to the parsers distributed for Python today.

Even when loading external resources, I don't think there's anything in the XML specification that says how they have to be loaded, or how to deal with an error when they are (and refusing to load because of resource limits is reasonably just another error with respect to the parser).

While I'd hate to make XML processing more painful than it often is, there's no injunction not to be reasonable. Security concerns and resource limits are cross-cutting concerns, so it's not wrong to provide safe defaults.

Doing so will be backward incompatible, and I'm not sure there's a good way to gauge the extent of the breakage.

-Fred

-- Fred L. Drake, Jr. "A storm broke loose in my mind." --Albert Einstein

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list