[Python-Dev] XML DoS vulnerabilities and exploits in Python
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 00:08:08 CET 2013
More information about the Python-Dev mailing list
Thu Feb 21 00:08:08 CET 2013
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 20 Feb 2013 22:55:57 +0100 Christian Heimes <christian at python.org> wrote: > Am 20.02.2013 21:17, schrieb Maciej Fijalkowski: > > On Wed, Feb 20, 2013 at 8:24 PM, Christian Heimes <christian at python.org> wrote: > >> Am 20.02.2013 17:25, schrieb Benjamin Peterson: > >>> Are these going to become patches for Python, too? > >> > >> I'm working on it. The patches need to be discussed as they break > >> backward compatibility and AFAIK XML standards, too. > > > > That's not very good. XML parsers are supposed to parse XML according > > to standards. Is the goal to have them actually do that, or just > > address DDOS issues? > > But the standard is flawed. It is not flawed as long as you are operating in a sandbox (read: controlled environment). > It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A > single 1 kB XML document can kill virtually any machine, even servers > with more than hundred GB RAM. Assuming an attacker can inject arbitrary XML. Not every XML document is loaded from the Internet. Not everyone is a security nuts. Regards Antoine.
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list