Python - remote object protocols and security

Burak Arslan burak.arslan at arskom.com.tr
Mon Jul 15 18:31:33 CEST 2013


On 07/15/13 16:53, Chris Angelico wrote:
> I haven't looked into the details, but there was one among a list of
> exploits that was being discussed a few months ago; it involved XML
> schemas, I think, and quite a few generic XML parsers could be tricked
> into fetching arbitrary documents. Whether this could be used for
> anything more serious than a document-viewed receipt or a denial of
> service (via latency) I don't know, but if nothing else, it's a vector
> that JSON simply doesn't have. ChrisA 

I must have missed that exploit report, can you provide a link?

Parsing arbitrary xml documents and parsing xml schema documents and
applying xml schema semantics to these documents are two very different
operations.

Xml schemas are not "tricked" into fetching arbitrary documents,
xs:include and xs:import fetch external documents, it's a well-known
feature. If you don't want this, you should ship all of the schema
documents together and generate the schemas in a way to not include any
external references. So I'm surprised this was presented as a security
exploit.

Json schemas also have similar functionality:
http://json-schema.org/latest/json-schema-core.html#anchor30

"""
if canonical dereferencing is used, the implementation will dereference
this URI, and fetch the content at this URI;
"""

So I don't understand how you're so sure of yourself, but to me, it
seems like Json schemas have the same attack vectors.

Best regards,
Burak



More information about the Python-list mailing list