[Python-Dev] XML DoS vulnerabilities and exploits in Python
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 00:08:08 CET 2013
On Wed, 20 Feb 2013 22:55:57 +0100
Christian Heimes <christian at python.org> wrote:
> Am 20.02.2013 21:17, schrieb Maciej Fijalkowski:
> > On Wed, Feb 20, 2013 at 8:24 PM, Christian Heimes <christian at python.org> wrote:
> >> Am 20.02.2013 17:25, schrieb Benjamin Peterson:
> >>> Are these going to become patches for Python, too?
> >>
> >> I'm working on it. The patches need to be discussed as they break
> >> backward compatibility and AFAIK XML standards, too.
> >
> > That's not very good. XML parsers are supposed to parse XML according
> > to standards. Is the goal to have them actually do that, or just
> > address DDOS issues?
>
> But the standard is flawed.
It is not flawed as long as you are operating in a sandbox (read:
controlled environment).
> It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A
> single 1 kB XML document can kill virtually any machine, even servers
> with more than hundred GB RAM.
Assuming an attacker can inject arbitrary XML. Not every XML document
is loaded from the Internet. Not everyone is a security nuts.
Regards
Antoine.
More information about the Python-Dev
mailing list