[Python-Dev] XML DoS vulnerabilities and exploits in Python
Christian Heimes
christian at python.org
Thu Feb 21 00:23:52 CET 2013
Am 20.02.2013 23:56, schrieb Fred Drake:
> While I'd hate to make XML processing more painful than it often is, there's
> no injunction not to be reasonable. Security concerns and resource limits
> are cross-cutting concerns, so it's not wrong to provide safe defaults.
>
> Doing so *will* be backward incompatible, and I'm not sure there's a good
> way to gauge the extent of the breakage.
We could walk a different path but that would keep Python's XML
libraries in an insecure mode by default.
My latest patch to expat and pyexpat supports global default values. The
global defaults are used when a new parser is created with
pyexpat.ParserCreate(). It's also possible to disable the new
limitations in expat by default.
We can add a function to the XML package tree that enables all restrictions:
* limit expansion depths of nested entities
* limit total amount of expanded chars
* disable external entity expansion
* optionally force expat to ignore and reset all DTD information
3rd party users have to disable secure settings explicitly for the
current interpreter (although expat limits are process wide and shared
across subinterpreters).
try:
import xml.security
except ImportError:
# old Python
pass
else:
xml.security.harden_xml_parser()
I guess most programs either process untrusted XML input or large XML
documents that require expansion and DTD validation.
Christian
More information about the Python-Dev
mailing list