[Python-Dev] XML DoS vulnerabilities and exploits in Python
Maciej Fijalkowski
fijall at gmail.com
Thu Feb 21 17:02:07 CET 2013
On Thu, Feb 21, 2013 at 9:29 AM, Tres Seaver <tseaver at palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/21/2013 01:53 AM, Antoine Pitrou wrote:
>> On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano
>> <steve at pearwood.info> wrote:
>>>
>>> It's easy to forget that malware existed long before the Internet.
>>> The internet is just a transmission vector, it is not the source of
>>> malicious files. The source of malicious files is *other people*,
>>> and unless you never use XML files you didn't generate yourself, you
>>> cannot completely trust the source. You might trust your colleagues
>>> to not *intentionally* pass you a malicious XML file, but they may
>>> still do so accidentally.
>>
>> That's in theory very nice, but in practice security in everyday
>> computing hasn't really been a concern before the massification of
>> Internet access.
>>
>> (yes, there have been viruses on mainstream platforms such as the
>> Amiga, but it was pretty minor compared to nowadays, and nobody cared
>> about potential DoS attacks for example)
>>
>> So, as for XML files, we are talking about a DoS vulnerability. It
>> will take more than a single file to make a DoS attack really
>> annoying, which means the attacker must pollute the source of those
>> XML files in a systemic way. It's not "a single XML file will smuggle
>> confidential data out of the building".
>
> Antoine,
>
> A single, small,, malicious XML file can kill a machine (not just the
> process parsing it) by sucking all available RAM. We are talking hard
> lockup, reboot-to-fix-it sorts of DOC here.
Er no. We're talking about running out of RAM. Any reasonable person
would already have a limit one way or another (rlimits anyone).
More information about the Python-Dev
mailing list