[Python-Dev] XML DoS vulnerabilities and exploits in Python

Christian Heimes christian at python.org
Thu Feb 21 00:23:52 CET 2013

Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 20.02.2013 23:56, schrieb Fred Drake:
> While I'd hate to make XML processing more painful than it often is, there's
> no injunction not to be reasonable.  Security concerns and resource limits
> are cross-cutting concerns, so it's not wrong to provide safe defaults.
> 
> Doing so *will* be backward incompatible, and I'm not sure there's a good
> way to gauge the extent of the breakage.

We could walk a different path but that would keep Python's XML
libraries in an insecure mode by default.

My latest patch to expat and pyexpat supports global default values. The
global defaults are used when a new parser is created with
pyexpat.ParserCreate(). It's also possible to disable the new
limitations in expat by default.

We can add a function to the XML package tree that enables all restrictions:

* limit expansion depths of nested entities
* limit total amount of expanded chars
* disable external entity expansion
* optionally force expat to ignore and reset all DTD information

3rd party users have to disable secure settings explicitly for the
current interpreter (although expat limits are process wide and shared
across subinterpreters).

try:
   import xml.security
except ImportError:
   # old Python
   pass
else:
   xml.security.harden_xml_parser()

I guess most programs either process untrusted XML input or large XML
documents that require expansion and DTD validation.

Christian

Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list