Le Thu, 21 Feb 2013 06:05:52 -0500, Jesse Noller <jnol...@gmail.com> a écrit : > On Feb 21, 2013, at 5:32 AM, Antoine Pitrou <solip...@pitrou.net> > wrote: > > > Le Thu, 21 Feb 2013 11:18:35 +0100, > > Christian Heimes <christ...@python.org> a écrit : > >> Am 21.02.2013 08:42, schrieb Antoine Pitrou: > >>> Sure, but in many instances, rebooting a machine is not > >>> business-threatening. You will have a couple of minutes' downtime > >>> and that's all. Which is why the attack must be repeated many > >>> times to be a major annoyance. > >> > >> Is this business-threatening enough? > >> > >> https://pypi.python.org/pypi/defusedxml#external-entity-expansion-remote > > > > You haven't proved that these were actual threats, nor how they > > actually worked. I'm gonna remain skeptical if there isn't anything > > more precise than "It highly depends on the parser and the > > application what kind of exploit is possible". > > > > Regards > > > > Antoine. > > > > I guess someone need to write a proof of concept exploit for you and > release it into the wild.
I don't know whether you are trying to be ironic but, for the record, proof of concepts needn't be "released into the wild" as long as they exist. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
