[Python-Dev] XML DoS vulnerabilities and exploits in Python
Donald Stufft
donald.stufft at gmail.com
Thu Feb 21 00:45:10 CET 2013
On Wednesday, February 20, 2013 at 6:22 PM, Antoine Pitrou wrote:
> On Wed, 20 Feb 2013 18:21:22 -0500
> Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> wrote:
> > On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote:
> > > > It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A
> > > > single 1 kB XML document can kill virtually any machine, even servers
> > > > with more than hundred GB RAM.
> > > >
> > >
> > >
> > > Assuming an attacker can inject arbitrary XML. Not every XML document
> > > is loaded from the Internet.
> > >
> >
> >
> > Even documents not loaded from the internet can be at risk. Often times
> > security breaches are the result of a chain of actions. You can say "I'm
> > not loading this XML from the internet, so therefore I am safe" but then
> > you have another flaw (for example) where you unpack a zip file
> > without verifying there are not absolute paths and suddenly your xml file has
> > been replaces with a malicious one.
> >
>
>
> Assuming your ZIP file is coming from the untrusted Internet, indeed.
> Again, this is the same assumption that you are grabbing some important
> data from someone you can't trust.
>
>
No software you run on your computer grabs data from someone you don't trust
and it all validates that even though you trust them they haven't been exploited?
Like I said these sort of things are often caused by chaining several unrelated
things together.
>
> Just because you are living in a Web-centric world doesn't mean
> everyone does. There are a lot of use cases which are not impacted by
> your security rules. Bugfix releases shouldn't break those use cases,
> which means the security features should be mostly opt-in for 2.7 and
> 3.3.
>
> Regards
>
> Antoine.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org (mailto:Python-Dev at python.org)
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130220/305c2b65/attachment-0001.html>
More information about the Python-Dev
mailing list