[Python-Dev] XML DoS vulnerabilities and exploits in Python

Christian Heimes christian at python.org
Wed Feb 20 22:55:57 CET 2013

Am 20.02.2013 21:17, schrieb Maciej Fijalkowski:
> On Wed, Feb 20, 2013 at 8:24 PM, Christian Heimes <christian at python.org> wrote:
>> Am 20.02.2013 17:25, schrieb Benjamin Peterson:
>>> Are these going to become patches for Python, too?
>> I'm working on it. The patches need to be discussed as they break
>> backward compatibility and AFAIK XML standards, too.
> That's not very good. XML parsers are supposed to parse XML according
> to standards. Is the goal to have them actually do that, or just
> address DDOS issues?

But the standard is flawed.

It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A
single 1 kB XML document can kill virtually any machine, even servers
with more than hundred GB RAM.

More information about the Python-Dev mailing list