Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2013-February/124212.html below:

[Python-Dev] XML DoS vulnerabilities and exploits in Python

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 21, 2013 at 9:49 AM, Tres Seaver <tseaver at palladion.com> wrote:
> Two words:  "hash randomization".  If it applies to one, it applies to
> the other.

Agreed. Christian's suggested approach sounds sane to me:

- make it possible to enable safer behaviour globally in at least 2.7
and 3.3 (and perhaps in 2.6 and 3.2 security releases as well)
- make the safer behaviour the default in 3.4
- make it possible to selectively disable the safeguards in all versions

A *possible* alternative in to step 1 is loud warnings in the docs
directing people to defusedxml, but I prefer the idea of actually
making the safeguards available directly in the standard library.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

• Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4