-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2013 06:22 PM, Antoine Pitrou wrote: > On Wed, 20 Feb 2013 18:21:22 -0500 Donald Stufft > <donald.stu...@gmail.com> wrote: >> On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote: >>>> It's not a distributed DoS issue, it's a severe DoS >>>> vulnerabilities. A single 1 kB XML document can kill virtually >>>> any machine, even servers with more than hundred GB RAM. >>>> >>> >>> Assuming an attacker can inject arbitrary XML. Not every XML >>> document is loaded from the Internet. >> >> Even documents not loaded from the internet can be at risk. Often >> times security breaches are the result of a chain of actions. You >> can say "I'm not loading this XML from the internet, so therefore I >> am safe" but then you have another flaw (for example) where you >> unpack a zip file without verifying there are not absolute paths and >> suddenly your xml file has been replaces with a malicious one. > > Assuming your ZIP file is coming from the untrusted Internet, indeed. > Again, this is the same assumption that you are grabbing some > important data from someone you can't trust. > > Just because you are living in a Web-centric world doesn't mean > everyone does. There are a lot of use cases which are not impacted by > your security rules. Bugfix releases shouldn't break those use cases, > which means the security features should be mostly opt-in for 2.7 and > 3.3.
Two words: "hash randomization". If it applies to one, it applies to the other. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlElYScACgkQ+gerLs4ltQ4QgwCfctL8/FmnboJWozyPcSE1xbb2 wwIAoNVc2hoQci9G2M6g/keNNsN5RR0O =Q9IX -----END PGP SIGNATURE----- _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
