From wes.turner at gmail.com  Tue May 29 00:17:53 2018
From: wes.turner at gmail.com (Wes Turner)
Date: Tue, 29 May 2018 00:17:53 -0400
Subject: [XML-sig] defusedxml -- defusing XML bombs and other exploits
Message-ID: <CACfEFw8wq3+ksKyH2WE=XDEC-LsKZEvx+u3XSuK+RB-t1tn1Yw@mail.gmail.com>

defusedxml -- defusing XML bombs and other exploits

(I wasn't subscribed to this list. Forwarding this along re: defusedxml)

---------- Forwarded message ----------
From: *Wes Turner* <wes.turner at gmail.com>
Date: Monday, May 28, 2018
Subject: [Python-Dev] The history of PyXML
To: Serhiy Storchaka <storchaka at gmail.com>
Cc: "python-dev at python.org" <python-dev at python.org>, "xml-sig at python.org" <
xml-sig at python.org>


On Thursday, May 17, 2018, Serhiy Storchaka <storchaka at gmail.com> wrote:

> [...]
>
> I'm trying to figure out some intentions and fix possible bugs in the xml
> package.


defusedxml
https://pypi.org/project/defusedxml/

> XML bomb protection for Python stdlib modules

https://pypi.org/project/defusedxml/#how-to-avoid-xml-vulnerabilities

"""
Best practices
- Don?t allow DTDs
- Don?t expand entities
- Don?t resolve externals
- Limit parse depth
- Limit total input size
- Limit parse time
- Favor a SAX or iterparse-like parser for potential large data
- Validate and properly quote arguments to XSL transformations and XPath
queries
- Don?t use XPath expression from untrusted sources
- Don?t apply XSL transformations that come untrusted sources
"""

https://github.com/tiran/defusedxml


> The history of all commits could help.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turne
> r%40gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/xml-sig/attachments/20180529/89303c86/attachment.html>