[Python-Dev] XML DoS vulnerabilities and exploits in Python
Christian Heimes
christian at python.org
Wed Feb 20 22:55:57 CET 2013
Am 20.02.2013 21:17, schrieb Maciej Fijalkowski:
> On Wed, Feb 20, 2013 at 8:24 PM, Christian Heimes <christian at python.org> wrote:
>> Am 20.02.2013 17:25, schrieb Benjamin Peterson:
>>> Are these going to become patches for Python, too?
>>
>> I'm working on it. The patches need to be discussed as they break
>> backward compatibility and AFAIK XML standards, too.
>
> That's not very good. XML parsers are supposed to parse XML according
> to standards. Is the goal to have them actually do that, or just
> address DDOS issues?
But the standard is flawed.
It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A
single 1 kB XML document can kill virtually any machine, even servers
with more than hundred GB RAM.
More information about the Python-Dev
mailing list