[Python-Dev] XML DoS vulnerabilities and exploits in Python

[Fred Drake]

On Wed, Feb 20, 2013 at 5:45 PM, R. David Murray <rdmurray at bitdance.com> wrote:
> (Wikipedia says: "Programs for reading documents may not be required to
> read the external subset.", which would seem to confirm that.)

Validating parsers are required to read the external subset; this doesn't
apply to the parsers distributed for Python today.

Even when loading external resources, I don't think there's anything in the
XML specification that says how they have to be loaded, or how to deal with
an error when they are (and refusing to load because of resource limits is
reasonably just another error with respect to the parser).

While I'd hate to make XML processing more painful than it often is, there's
no injunction not to be reasonable.  Security concerns and resource limits
are cross-cutting concerns, so it's not wrong to provide safe defaults.

Doing so *will* be backward incompatible, and I'm not sure there's a good
way to gauge the extent of the breakage.


  -Fred

-- 
Fred L. Drake, Jr.    <fred at fdrake.net>
"A storm broke loose in my mind."  --Albert Einstein