[Python-Dev] XML DoS vulnerabilities and exploits in Python
donald.stufft at gmail.com
Thu Feb 21 00:32:51 CET 2013
On Wednesday, February 20, 2013 at 6:23 PM, Christian Heimes wrote:
> We can add a function to the XML package tree that enables all restrictions:
> * limit expansion depths of nested entities
> * limit total amount of expanded chars
> * disable external entity expansion
> * optionally force expat to ignore and reset all DTD information
> 3rd party users have to disable secure settings explicitly for the
> current interpreter (although expat limits are process wide and shared
> across subinterpreters).
> import xml.security
> except ImportError:
> # old Python
We've learned nothing from Ruby and their YAML problems. Things need to
be safe by default and the unsafe things explicitly enabled. Even *smart*
developers do things wrong (e.g. YAML.load instead of YAML.safe_load) and
protecting developers by default should be the path forward.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev