Python - remote object protocols and security

Chris Angelico rosuav at
Mon Jul 15 18:41:09 CEST 2013

On Tue, Jul 16, 2013 at 2:31 AM, Burak Arslan
<burak.arslan at> wrote:
> On 07/15/13 16:53, Chris Angelico wrote:
>> I haven't looked into the details, but there was one among a list of
>> exploits that was being discussed a few months ago; it involved XML
>> schemas, I think, and quite a few generic XML parsers could be tricked
>> into fetching arbitrary documents. Whether this could be used for
>> anything more serious than a document-viewed receipt or a denial of
>> service (via latency) I don't know, but if nothing else, it's a vector
>> that JSON simply doesn't have. ChrisA
> I must have missed that exploit report, can you provide a link?
> Parsing arbitrary xml documents and parsing xml schema documents and
> applying xml schema semantics to these documents are two very different
> operations.

I don't remember all the details; it isn't something I took particular
note of, as I don't work much with XML. It was something involving
either a schema declaration or a DTD or something of the sort, where
normally no external lookup is required but there's an HTTP URL in
there and it's possible to force that to be resolved.

> Xml schemas are not "tricked" into fetching arbitrary documents,
> xs:include and xs:import fetch external documents, it's a well-known
> feature. If you don't want this, you should ship all of the schema
> documents together and generate the schemas in a way to not include any
> external references. So I'm surprised this was presented as a security
> exploit.

It was something that parsing a basic XML document could trigger, and
in an environment where you wouldn't normally expect extra HTTP
requests to be going out, hence "tricked".

> Json schemas also have similar functionality:
> """
> if canonical dereferencing is used, the implementation will dereference
> this URI, and fetch the content at this URI;
> """
> So I don't understand how you're so sure of yourself, but to me, it
> seems like Json schemas have the same attack vectors.

Yes, but normal JSON data doesn't include schema references. Normal
XML data can and often does.


More information about the Python-list mailing list