[Python-Dev] XML DoS vulnerabilities and exploits in Python
Eli Bendersky
eliben at gmail.com
Thu Feb 21 20:17:57 CET 2013
On Thu, Feb 21, 2013 at 11:12 AM, Christian Heimes <christian at python.org>wrote:
> Am 21.02.2013 19:39, schrieb Eli Bendersky:
> > Just to clarify for my own curiosity. These attacks (e.g.
> > http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
> > since 2003?
>
> Correct, see https://pypi.python.org/pypi/defusedxml#synopsis third
> paragraph. All XML attacks in my analysis are well known for years,
> billion laughs for about a decade.
>
> As far as I know it's the first time somebody has compiled and published
> a detailed list of vulnerabilities in Python's XML libraries. However
> I'm not the only one. OpenStack and Django were contacted by several
> people in the past few weeks, too.
>
Thanks, Christian. I think this should put the urgency of the fix into
context. While I agree that we should work on making future versions
resilient by default, I have doubts about the urgency of back-patching
existing, in-mainteinance-mode stable versions with something that's not
opt-in.
Eli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130221/04d678b2/attachment-0001.html>
More information about the Python-Dev
mailing list