[Python-Dev] XML DoS vulnerabilities and exploits in Python
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 15:03:10 CET 2013
Le Thu, 21 Feb 2013 13:04:59 +0100,
Christian Heimes <christian at python.org> a écrit :
> Am 21.02.2013 11:32, schrieb Antoine Pitrou:
> > You haven't proved that these were actual threats, nor how they
> > actually worked. I'm gonna remain skeptical if there isn't anything
> > more precise than "It highly depends on the parser and the
> > application what kind of exploit is possible".
>
> https://bitbucket.org/tiran/defusedxml/src/82f4037464418bf11ea734969b7ca1c193e6ed91/other/python-external.py?at=default
>
> $ ./python-external.py
[snip]
Again, this requires that your attacker can directly feed XML to the
system *and* read the response. Not every computer is a public Internet
server.
Regards
Antoine.
More information about the Python-Dev
mailing list