[Python-Dev] XML DoS vulnerabilities and exploits in Python

Jesse Noller jnoller at gmail.com
Thu Feb 21 00:47:53 CET 2013 


On Feb 20, 2013, at 6:22 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> On Wed, 20 Feb 2013 18:21:22 -0500
> Donald Stufft <donald.stufft at gmail.com> wrote:
>> On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote:
>>>> It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A
>>>> single 1 kB XML document can kill virtually any machine, even servers
>>>> with more than hundred GB RAM.
>>> 
>>> Assuming an attacker can inject arbitrary XML. Not every XML document
>>> is loaded from the Internet.
>> 
>> Even documents not loaded from the internet can be at risk. Often times
>> security breaches are the result of a chain of actions. You can say "I'm
>> not loading this XML from the internet, so therefore I am safe" but then
>> you have another flaw (for example) where you unpack a zip file
>> without verifying there are not absolute paths and suddenly your xml file has
>> been replaces with a malicious one.
> 
> Assuming your ZIP file is coming from the untrusted Internet, indeed.
> Again, this is the same assumption that you are grabbing some important
> data from someone you can't trust.
> 
> Just because you are living in a Web-centric world doesn't mean
> everyone does. There are a lot of use cases which are not impacted by
> your security rules. Bugfix releases shouldn't break those use cases,
> which means the security features should be mostly opt-in for 2.7 and
> 3.3.
> 
> Regards
> 
> Antoine.

Any type of input is a potential attack vector; this isn't web centric, it's a systemic flaw in the spec that allows any application that's loading XML to be bombed into oblivion. People need to trust that the standard library is reliable and sane-by-default. What we have right now isn't 



> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com

More information about the Python-Dev mailing list