[Python-Dev] XML DoS vulnerabilities and exploits in Python
Tres Seaver
tseaver at palladion.com
Thu Feb 21 00:49:59 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2013 06:22 PM, Antoine Pitrou wrote:
> On Wed, 20 Feb 2013 18:21:22 -0500 Donald Stufft
> <donald.stufft at gmail.com> wrote:
>> On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote:
>>>> It's not a distributed DoS issue, it's a severe DoS
>>>> vulnerabilities. A single 1 kB XML document can kill virtually
>>>> any machine, even servers with more than hundred GB RAM.
>>>>
>>>
>>> Assuming an attacker can inject arbitrary XML. Not every XML
>>> document is loaded from the Internet.
>>
>> Even documents not loaded from the internet can be at risk. Often
>> times security breaches are the result of a chain of actions. You
>> can say "I'm not loading this XML from the internet, so therefore I
>> am safe" but then you have another flaw (for example) where you
>> unpack a zip file without verifying there are not absolute paths and
>> suddenly your xml file has been replaces with a malicious one.
>
> Assuming your ZIP file is coming from the untrusted Internet, indeed.
> Again, this is the same assumption that you are grabbing some
> important data from someone you can't trust.
>
> Just because you are living in a Web-centric world doesn't mean
> everyone does. There are a lot of use cases which are not impacted by
> your security rules. Bugfix releases shouldn't break those use cases,
> which means the security features should be mostly opt-in for 2.7 and
> 3.3.
Two words: "hash randomization". If it applies to one, it applies to
the other.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlElYScACgkQ+gerLs4ltQ4QgwCfctL8/FmnboJWozyPcSE1xbb2
wwIAoNVc2hoQci9G2M6g/keNNsN5RR0O
=Q9IX
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list