[Python-Dev] XML DoS vulnerabilities and exploits in Python

Stefan Behnel stefan_ml at behnel.de
Thu Feb 21 07:37:36 CET 2013

Maciej Fijalkowski, 20.02.2013 21:17:
> On Wed, Feb 20, 2013 at 8:24 PM, Christian Heimes wrote:
>> Am 20.02.2013 17:25, schrieb Benjamin Peterson:
>>> Are these going to become patches for Python, too?
>> I'm working on it. The patches need to be discussed as they break
>> backward compatibility and AFAIK XML standards, too.
> That's not very good. XML parsers are supposed to parse XML according
> to standards.

I think we can shorten this discussion to "this is a serious problem that
needs to be fixed". If that involves taking the freedom that the XML
standard leaves about processing DTDs, then I think we shouldn't be
throwing any high-level bike shedding at it.

Consulting the standard actually helps.


More information about the Python-Dev mailing list