Le Thu, 21 Feb 2013 13:04:59 +0100, Christian Heimes <christ...@python.org> a écrit : > Am 21.02.2013 11:32, schrieb Antoine Pitrou: > > You haven't proved that these were actual threats, nor how they > > actually worked. I'm gonna remain skeptical if there isn't anything > > more precise than "It highly depends on the parser and the > > application what kind of exploit is possible". > > https://bitbucket.org/tiran/defusedxml/src/82f4037464418bf11ea734969b7ca1c193e6ed91/other/python-external.py?at=default > > $ ./python-external.py [snip]
Again, this requires that your attacker can directly feed XML to the system *and* read the response. Not every computer is a public Internet server. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
