On Feb 20, 2013, at 6:22 PM, Antoine Pitrou <solip...@pitrou.net> wrote:
> On Wed, 20 Feb 2013 18:21:22 -0500 > Donald Stufft <donald.stu...@gmail.com> wrote: >> On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote: >>>> It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A >>>> single 1 kB XML document can kill virtually any machine, even servers >>>> with more than hundred GB RAM. >>> >>> Assuming an attacker can inject arbitrary XML. Not every XML document >>> is loaded from the Internet. >> >> Even documents not loaded from the internet can be at risk. Often times >> security breaches are the result of a chain of actions. You can say "I'm >> not loading this XML from the internet, so therefore I am safe" but then >> you have another flaw (for example) where you unpack a zip file >> without verifying there are not absolute paths and suddenly your xml file has >> been replaces with a malicious one. > > Assuming your ZIP file is coming from the untrusted Internet, indeed. > Again, this is the same assumption that you are grabbing some important > data from someone you can't trust. > > Just because you are living in a Web-centric world doesn't mean > everyone does. There are a lot of use cases which are not impacted by > your security rules. Bugfix releases shouldn't break those use cases, > which means the security features should be mostly opt-in for 2.7 and > 3.3. > > Regards > > Antoine. Any type of input is a potential attack vector; this isn't web centric, it's a systemic flaw in the spec that allows any application that's loading XML to be bombed into oblivion. People need to trust that the standard library is reliable and sane-by-default. What we have right now isn't > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
