[Python-Dev] XML DoS vulnerabilities and exploits in Python

Antoine Pitrou solipsis at pitrou.net
Thu Feb 21 11:32:53 CET 2013

Le Thu, 21 Feb 2013 11:18:35 +0100,
Christian Heimes <christian at python.org> a écrit :
> Am 21.02.2013 08:42, schrieb Antoine Pitrou:
> > Sure, but in many instances, rebooting a machine is not
> > business-threatening. You will have a couple of minutes' downtime
> > and that's all. Which is why the attack must be repeated many times
> > to be a major annoyance.
> Is this business-threatening enough?
> https://pypi.python.org/pypi/defusedxml#external-entity-expansion-remote

You haven't proved that these were actual threats, nor how they
actually worked. I'm gonna remain skeptical if there isn't anything
more precise than "It highly depends on the parser and the application
what kind of exploit is possible".



More information about the Python-Dev mailing list