[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)
Donald Stufft donald.stufft at gmail.com
Thu Feb 21 00:21:22 CET 2013
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote:
> It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A > single 1 kB XML document can kill virtually any machine, even servers > with more than hundred GB RAM. >
Assuming an attacker can inject arbitrary XML. Not every XML document is loaded from the Internet.
Even documents not loaded from the internet can be at risk. Often times security breaches are the result of a chain of actions. You can say "I'm not loading this XML from the internet, so therefore I am safe" but then you have another flaw (for example) where you unpack a zip file without verifying there are not absolute paths and suddenly your xml file has been replaces with a malicious one. Not everyone is a security nuts.
This is precisely why things should be safe by default and allow unsafe actions to be turned on optionally.
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130220/e9bb824a/attachment.html>
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]