[Python-Dev] XML DoS vulnerabilities and exploits in Python

[Skip Montanaro]

> > I'm working on it. The patches need to be discussed as they break
> > backward compatibility and AFAIK XML standards, too.
>
> That's not very good. XML parsers are supposed to parse XML according
> to standards. Is the goal to have them actually do that, or just
> address DDOS issues?

Having read through Christian's mail and several of his references, it
seems to me that addressing the DDoS issues is preferable to blindly
following a standard that predates the Morris worm by a couple years.
Everyone played nice before that watershed event.  Heck, back then you
could telnet to gnu at prep.ai.mit.edu without a password!

Any incompatibility should have minimal impact.  I haven't looked into
the defusedxml package to see what limits it introduces to protect
against attacks, but it seems that most well-behaved entities will use
little, if any, recursion, and result in a size increase of less than
a factor of 10 when fully expanded.

Skip