[Python-Dev] XML DoS vulnerabilities and exploits in Python
Donald Stufft
donald.stufft at gmail.com
Thu Feb 21 00:21:22 CET 2013
On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote:
> > It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A
> > single 1 kB XML document can kill virtually any machine, even servers
> > with more than hundred GB RAM.
> >
>
>
> Assuming an attacker can inject arbitrary XML. Not every XML document
> is loaded from the Internet.
>
>
Even documents not loaded from the internet can be at risk. Often times
security breaches are the result of a chain of actions. You can say "I'm
not loading this XML from the internet, so therefore I am safe" but then
you have another flaw (for example) where you unpack a zip file
without verifying there are not absolute paths and suddenly your xml file has
been replaces with a malicious one.
> Not everyone is a security nuts.
>
>
This is precisely why things should be safe by default and allow unsafe
actions to be turned on optionally.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130220/e9bb824a/attachment.html>
More information about the Python-Dev
mailing list