[Python-Dev] XML DoS vulnerabilities and exploits in Python

Donald Stufft donald.stufft at gmail.com
Thu Feb 21 00:32:51 CET 2013

On Wednesday, February 20, 2013 at 6:23 PM, Christian Heimes wrote:
> We can add a function to the XML package tree that enables all restrictions:
> * limit expansion depths of nested entities
> * limit total amount of expanded chars
> * disable external entity expansion
> * optionally force expat to ignore and reset all DTD information
> 3rd party users have to disable secure settings explicitly for the
> current interpreter (although expat limits are process wide and shared
> across subinterpreters).
> try:
> import xml.security
> except ImportError:
> # old Python
> pass
> else:
> xml.security.harden_xml_parser()

We've learned nothing from Ruby and their YAML problems. Things need to 
be safe by default and the unsafe things explicitly enabled. Even *smart*
developers do things wrong (e.g. YAML.load instead of YAML.safe_load) and
protecting developers by default should be the path forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130220/635e6012/attachment.html>

More information about the Python-Dev mailing list