[Python-Dev] XML DoS vulnerabilities and exploits in Python
Christian Heimes
christian at python.org
Thu Feb 21 20:12:22 CET 2013
Am 21.02.2013 19:39, schrieb Eli Bendersky:
> Just to clarify for my own curiosity. These attacks (e.g.
> http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
> since 2003?
Correct, see https://pypi.python.org/pypi/defusedxml#synopsis third
paragraph. All XML attacks in my analysis are well known for years,
billion laughs for about a decade.
As far as I know it's the first time somebody has compiled and published
a detailed list of vulnerabilities in Python's XML libraries. However
I'm not the only one. OpenStack and Django were contacted by several
people in the past few weeks, too.
More information about the Python-Dev
mailing list