[Python-Dev] XML DoS vulnerabilities and exploits in Python

Carl Meyer carl at oddbird.net
Thu Feb 21 00:03:34 CET 2013


On 02/20/2013 03:35 PM, Greg Ewing wrote:
> Carl Meyer wrote:
>> An XML parser that follows the XML standard is never safe to expose to
>> untrusted input.
> 
> Does the XML standard really mandate that a conforming parser
> must blindly download any DTD URL given to it from the real
> live internet? Somehow I doubt that.

For a validating parser, the spec does mandate that. It permits
non-validating parsers (browsers are the only example given) to simply
note the existence of an external entity reference and "retrieve it for
display only on demand." [1]

But this isn't particularly relevant; the quoted statement is true even
if you ignore the external reference issues entirely and consider only
entity-expansion DoS. Some level of non-conformance to the spec is
necessary to make parsing of untrusted XML safe.

Carl

[1] http://www.w3.org/TR/xml/#include-if-valid


More information about the Python-Dev mailing list