[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)

Christian Heimes christian at python.org
Thu Sep 13 19:47:23 EDT 2018


On 06/09/2018 07.18, Victor Stinner wrote:
> Hi,
> 
> The Python bug tracker is full of bugs, and sadly we don't have enough
> people to take care of all of them. There are 3 open bugs about
> security issues in XML and I simply propose to close it:
> 
>    https://bugs.python.org/issue17318
>    https://bugs.python.org/issue17239
>    https://bugs.python.org/issue24238
> 
> The XML documentation already starts with a red warning explaining the
> security limitations of the Python implementation and points to
> defusedxml and defusedexpat which are existing and working
> counter-measures:
> 
>    https://docs.python.org/dev/library/xml.html
> 
> Note: Christian Heimes, author of these 2 packages, told me that these
> modules may not work on Python 3.7, he didn't have time to maintain
> them recently. Maybe someone might want to help him?
> 
> I suggest to close the 3 Python bugs without doing anything. Are you
> ok with that? Keeping the issue open for 3 years doesn't help anyone,
> and there is already a security warning in all supported version (I
> checked 2.7 and 3.4).
> 
> It seems like XML is getting less popular because of JSON becoming
> more popular (even if JSON obviously comes with its own set of
> security issues...). It seems like less core developers care about XML
> (today than 3 years ago).
> 
> We should just accept that core developers have limited availability
> and that documenting security issues is an *acceptable* trade-off. I
> don't see any value of keeping these 3 issues open.

Hi,

during the Python core developer sprint, Steve Dower forced ^H^H^H^H^H^H
convinced me into looking into the XML security bugs again. I come with
fixes for all issues. However all security fixes require a change of
behavior. I strongly believe that the change doesn't affect the majority
of users in a negative way.

For entity expansion attacks (billion laughs, quadratic blowup), the
issue cannot be fixed in a libexpat callback. I decided that it's better
to fix the issue in expat directly. libxml2 added limits for entity
expansion many years ago, too. I created a patch for libexpat to limit
nesting depths, entity length and ratio between XML data and expansion,
https://github.com/libexpat/libexpat/pull/220 . The PR is a proof of
concept.

For the external entity and DTD bug in SAX and pulldom parser, I changed
the default setting in PR https://github.com/python/cpython/pull/9217 .
When accepted, the parsers no longer load and embed files from local
directories or network locations.

Regards,
Christian



More information about the Python-Dev mailing list