Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2013-February/124197.html below:

[Python-Dev] XML DoS vulnerabilities and exploits in Python

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/20/2013 03:35 PM, Greg Ewing wrote:
> Carl Meyer wrote:
>> An XML parser that follows the XML standard is never safe to expose to
>> untrusted input.
> 
> Does the XML standard really mandate that a conforming parser
> must blindly download any DTD URL given to it from the real
> live internet? Somehow I doubt that.

For a validating parser, the spec does mandate that. It permits
non-validating parsers (browsers are the only example given) to simply
note the existence of an external entity reference and "retrieve it for
display only on demand." [1]

But this isn't particularly relevant; the quoted statement is true even
if you ignore the external reference issues entirely and consider only
entity-expansion DoS. Some level of non-conformance to the spec is
necessary to make parsing of untrusted XML safe.

Carl

[1] http://www.w3.org/TR/xml/#include-if-valid

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4