[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)

Maciej Fijalkowski fijall at gmail.com
Thu Feb 21 17:02:07 CET 2013

On Thu, Feb 21, 2013 at 9:29 AM, Tres Seaver <tseaver at palladion.com> wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 02/21/2013 01:53 AM, Antoine Pitrou wrote: On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano <steve at pearwood.info> wrote:

It's easy to forget that malware existed long before the Internet. The internet is just a transmission vector, it is not the source of malicious files. The source of malicious files is other people, and unless you never use XML files you didn't generate yourself, you cannot completely trust the source. You might trust your colleagues to not intentionally pass you a malicious XML file, but they may still do so accidentally. That's in theory very nice, but in practice security in everyday computing hasn't really been a concern before the massification of Internet access. (yes, there have been viruses on mainstream platforms such as the Amiga, but it was pretty minor compared to nowadays, and nobody cared about potential DoS attacks for example) So, as for XML files, we are talking about a DoS vulnerability. It will take more than a single file to make a DoS attack really annoying, which means the attacker must pollute the source of those XML files in a systemic way. It's not "a single XML file will smuggle confidential data out of the building". Antoine, A single, small,, malicious XML file can kill a machine (not just the process parsing it) by sucking all available RAM. We are talking hard lockup, reboot-to-fix-it sorts of DOC here.

Er no. We're talking about running out of RAM. Any reasonable person would already have a limit one way or another (rlimits anyone).

More information about the Python-Dev mailing list