On Wed, 20 Feb 2013 22:55:57 +0100 Christian Heimes <christ...@python.org> wrote: > Am 20.02.2013 21:17, schrieb Maciej Fijalkowski: > > On Wed, Feb 20, 2013 at 8:24 PM, Christian Heimes <christ...@python.org> > > wrote: > >> Am 20.02.2013 17:25, schrieb Benjamin Peterson: > >>> Are these going to become patches for Python, too? > >> > >> I'm working on it. The patches need to be discussed as they break > >> backward compatibility and AFAIK XML standards, too. > > > > That's not very good. XML parsers are supposed to parse XML according > > to standards. Is the goal to have them actually do that, or just > > address DDOS issues? > > But the standard is flawed.
It is not flawed as long as you are operating in a sandbox (read: controlled environment). > It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A > single 1 kB XML document can kill virtually any machine, even servers > with more than hundred GB RAM. Assuming an attacker can inject arbitrary XML. Not every XML document is loaded from the Internet. Not everyone is a security nuts. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
