[Python-Dev] XML DoS vulnerabilities and exploits in Python

[Carl Meyer]

On 02/20/2013 01:53 PM, Skip Montanaro wrote:
>> That's not very good. XML parsers are supposed to parse XML according
>> to standards. Is the goal to have them actually do that, or just
>> address DDOS issues?
> 
> Having read through Christian's mail and several of his references, it
> seems to me that addressing the DDoS issues is preferable to blindly
> following a standard that predates the Morris worm by a couple years.
> Everyone played nice before that watershed event.  Heck, back then you
> could telnet to gnu at prep.ai.mit.edu without a password!

Also, despite the title of this thread, the vulnerabilities include
fetching of external DTDs and entities (per standard), which opens up
attacks that are worse than just denial-of-service. In our initial
Django release advisory we carelessly lumped the potential XML
vulnerabilities together under the "DoS" label, and were quickly corrected.

An XML parser that follows the XML standard is never safe to expose to
untrusted input. This means the choice is just whether the stdlib XML
parsers should be safe by default, or follow the standard by default.
(Given either choice, the other option can still be made available via
flags).

Carl