-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2013 01:53 AM, Antoine Pitrou wrote: > On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano > <st...@pearwood.info> wrote: >> >> It's easy to forget that malware existed long before the Internet. >> The internet is just a transmission vector, it is not the source of >> malicious files. The source of malicious files is *other people*, >> and unless you never use XML files you didn't generate yourself, you >> cannot completely trust the source. You might trust your colleagues >> to not *intentionally* pass you a malicious XML file, but they may >> still do so accidentally. > > That's in theory very nice, but in practice security in everyday > computing hasn't really been a concern before the massification of > Internet access. > > (yes, there have been viruses on mainstream platforms such as the > Amiga, but it was pretty minor compared to nowadays, and nobody cared > about potential DoS attacks for example) > > So, as for XML files, we are talking about a DoS vulnerability. It > will take more than a single file to make a DoS attack really > annoying, which means the attacker must pollute the source of those > XML files in a systemic way. It's not "a single XML file will smuggle > confidential data out of the building".
Antoine, A single, small,, malicious XML file can kill a machine (not just the process parsing it) by sucking all available RAM. We are talking hard lockup, reboot-to-fix-it sorts of DOC here. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlElzMQACgkQ+gerLs4ltQ7fDQCgmvvurNi5VtWA+4mqcz4tpUhR rNUAnRtpcKMFCM3z8qRKNfinAE9ly9fX =y+eM -----END PGP SIGNATURE----- _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
