[Python-Dev] XML DoS vulnerabilities and exploits in Python

Antoine Pitrou solipsis at pitrou.net
Thu Feb 21 15:03:10 CET 2013

Le Thu, 21 Feb 2013 13:04:59 +0100,
Christian Heimes <christian at python.org> a écrit :
> Am 21.02.2013 11:32, schrieb Antoine Pitrou:
> > You haven't proved that these were actual threats, nor how they
> > actually worked. I'm gonna remain skeptical if there isn't anything
> > more precise than "It highly depends on the parser and the
> > application what kind of exploit is possible".
> https://bitbucket.org/tiran/defusedxml/src/82f4037464418bf11ea734969b7ca1c193e6ed91/other/python-external.py?at=default
> $ ./python-external.py

Again, this requires that your attacker can directly feed XML to the
system *and* read the response. Not every computer is a public Internet



More information about the Python-Dev mailing list