[Python-checkins] cpython (2.7): Issue 17538: Document XML vulnerabilties

Ezio Melotti ezio.melotti at gmail.com
Thu Mar 28 23:56:46 CET 2013


Hi,

On Tue, Mar 26, 2013 at 6:53 PM, christian.heimes
<python-checkins at python.org> wrote:
> http://hg.python.org/cpython/rev/e87364449954
> changeset:   82973:e87364449954
> branch:      2.7
> parent:      82963:d321885ff8f3
> user:        Christian Heimes <christian at cheimes.de>
> date:        Tue Mar 26 17:53:05 2013 +0100
> summary:
>   Issue 17538: Document XML vulnerabilties
>
> [...]
>
> diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
> new file mode 100644
> --- /dev/null
> +++ b/Doc/library/xml.rst
> @@ -0,0 +1,131 @@
> +.. _xml:
> +
> +XML Processing Modules
> +======================
> +
> +.. module:: xml
> +   :synopsis: Package containing XML processing modules
> +.. sectionauthor:: Christian Heimes <christian at python.org>
> +.. sectionauthor:: Georg Brandl <georg at python.org>
> +
> +
> +Python's interfaces for processing XML are grouped in the ``xml`` package.
> +
> +.. warning::
> +
> +   The XML modules are not secure against erroneous or maliciously
> +   constructed data.  If you need to parse untrusted or unauthenticated data see
> +   :ref:`xml-vulnerabilities`.
> +
> +It is important to note that modules in the :mod:`xml` package require that
> +there be at least one SAX-compliant XML parser available. The Expat parser is
> +included with Python, so the :mod:`xml.parsers.expat` module will always be
> +available.
> +
> +The documentation for the :mod:`xml.dom` and :mod:`xml.sax` packages are the
> +definition of the Python bindings for the DOM and SAX interfaces.
> +
> +The XML handling submodules are:
> +
> +* :mod:`xml.etree.ElementTree`: the ElementTree API, a simple and lightweight

Something is missing here ^

> +
> +..
> +
> +* :mod:`xml.dom`: the DOM API definition
> +* :mod:`xml.dom.minidom`: a lightweight DOM implementation
> +* :mod:`xml.dom.pulldom`: support for building partial DOM trees
> +
> +..
> +
> +* :mod:`xml.sax`: SAX2 base classes and convenience functions
> +* :mod:`xml.parsers.expat`: the Expat parser binding
> +
> +
> +.. _xml-vulnerabilities:
> +
> [...]
> +
> +defused packages
> +----------------
> +
> +`defusedxml`_ is a pure Python package with modified subclasses of all stdlib
> +XML parsers that prevent any potentially malicious operation. The courses of
> +action are recommended for any server code that parses untrusted XML data.

This last sentence doesn't make much sense to me.  Is it even correct?

> The
> +package also ships with example exploits and an extended documentation on more
> +XML exploits like xpath injection.
> +
> +`defusedexpat`_ provides a modified libexpat and patched replacment

s/replacment/replacement/

> +:mod:`pyexpat` extension module with countermeasures against entity expansion
> +DoS attacks. Defusedexpat still allows a sane and configurable amount of entity
> +expansions. The modifications will be merged into future releases of Python.
> +
> +The workarounds and modifications are not included in patch releases as they
> +break backward compatibility. After all inline DTD and entity expansion are
> +well-definied XML features.

s/definied/defined/

> +
> +
> +.. _defusedxml: <https://pypi.python.org/pypi/defusedxml/>
> +.. _defusedexpat: <https://pypi.python.org/pypi/defusedexpat/>
> +.. _Billion Laughs: http://en.wikipedia.org/wiki/Billion_laughs
> +.. _ZIP bomb: http://en.wikipedia.org/wiki/Zip_bomb
> +.. _DTD: http://en.wikipedia.org/wiki/Document_Type_Definition
>  [...]

Best Regards,
Ezio Melotti


More information about the Python-checkins mailing list