[Python-Dev] XML DoS vulnerabilities and exploits in Python
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 07:53:12 CET 2013
On Thu, 21 Feb 2013 11:37:47 +1100
Steven D'Aprano <steve at pearwood.info> wrote:
>
> It's easy to forget that malware existed long before the Internet. The internet is just a transmission vector, it is not the source of malicious files. The source of malicious files is *other people*, and unless you never use XML files you didn't generate yourself, you cannot completely trust the source. You might trust your colleagues to not *intentionally* pass you a malicious XML file, but they may still do so accidentally.
That's in theory very nice, but in practice security in everyday
computing hasn't really been a concern before the massification of
Internet access.
(yes, there have been viruses on mainstream platforms such as the
Amiga, but it was pretty minor compared to nowadays, and nobody cared
about potential DoS attacks for example)
So, as for XML files, we are talking about a DoS vulnerability. It
will take more than a single file to make a DoS attack really
annoying, which means the attacker must pollute the source of those XML
files in a systemic way. It's not "a single XML file will smuggle
confidential data out of the building".
Regards
Antoine.
More information about the Python-Dev
mailing list