[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)

Tres Seaver tseaver at palladion.com
Thu Feb 21 00:49:59 CET 2013

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 02/20/2013 06:22 PM, Antoine Pitrou wrote:

On Wed, 20 Feb 2013 18:21:22 -0500 Donald Stufft <donald.stufft at gmail.com> wrote:

On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote:

It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A single 1 kB XML document can kill virtually any machine, even servers with more than hundred GB RAM.

Assuming an attacker can inject arbitrary XML. Not every XML document is loaded from the Internet. Even documents not loaded from the internet can be at risk. Often times security breaches are the result of a chain of actions. You can say "I'm not loading this XML from the internet, so therefore I am safe" but then you have another flaw (for example) where you unpack a zip file without verifying there are not absolute paths and suddenly your xml file has been replaces with a malicious one. Assuming your ZIP file is coming from the untrusted Internet, indeed. Again, this is the same assumption that you are grabbing some important data from someone you can't trust. Just because you are living in a Web-centric world doesn't mean everyone does. There are a lot of use cases which are not impacted by your security rules. Bugfix releases shouldn't break those use cases, which means the security features should be mostly opt-in for 2.7 and 3.3.

Two words: "hash randomization". If it applies to one, it applies to the other.

Tres. - --

Tres Seaver +1 540-429-0999 tseaver at palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlElYScACgkQ+gerLs4ltQ4QgwCfctL8/FmnboJWozyPcSE1xbb2 wwIAoNVc2hoQci9G2M6g/keNNsN5RR0O =Q9IX -----END PGP SIGNATURE-----

More information about the Python-Dev mailing list