[Python-Dev] XML DoS vulnerabilities and exploits in Python
carl at oddbird.net
Thu Feb 21 00:03:34 CET 2013
On 02/20/2013 03:35 PM, Greg Ewing wrote:
> Carl Meyer wrote:
>> An XML parser that follows the XML standard is never safe to expose to
>> untrusted input.
> Does the XML standard really mandate that a conforming parser
> must blindly download any DTD URL given to it from the real
> live internet? Somehow I doubt that.
For a validating parser, the spec does mandate that. It permits
non-validating parsers (browsers are the only example given) to simply
note the existence of an external entity reference and "retrieve it for
display only on demand." 
But this isn't particularly relevant; the quoted statement is true even
if you ignore the external reference issues entirely and consider only
entity-expansion DoS. Some level of non-conformance to the spec is
necessary to make parsing of untrusted XML safe.
More information about the Python-Dev