[Python-Dev] XML DoS vulnerabilities and exploits in Python
Skip Montanaro
skip at pobox.com
Wed Feb 20 21:53:55 CET 2013
More information about the Python-Dev mailing list
Wed Feb 20 21:53:55 CET 2013
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > I'm working on it. The patches need to be discussed as they break > > backward compatibility and AFAIK XML standards, too. > > That's not very good. XML parsers are supposed to parse XML according > to standards. Is the goal to have them actually do that, or just > address DDOS issues? Having read through Christian's mail and several of his references, it seems to me that addressing the DDoS issues is preferable to blindly following a standard that predates the Morris worm by a couple years. Everyone played nice before that watershed event. Heck, back then you could telnet to gnu at prep.ai.mit.edu without a password! Any incompatibility should have minimal impact. I haven't looked into the defusedxml package to see what limits it introduces to protect against attacks, but it seems that most well-behaved entities will use little, if any, recursion, and result in a size increase of less than a factor of 10 when fully expanded. Skip
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list