On Thu, Feb 21, 2013 at 9:29 AM, Tres Seaver <tsea...@palladion.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/21/2013 01:53 AM, Antoine Pitrou wrote: >> On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano >> <st...@pearwood.info> wrote: >>> >>> It's easy to forget that malware existed long before the Internet. >>> The internet is just a transmission vector, it is not the source of >>> malicious files. The source of malicious files is *other people*, >>> and unless you never use XML files you didn't generate yourself, you >>> cannot completely trust the source. You might trust your colleagues >>> to not *intentionally* pass you a malicious XML file, but they may >>> still do so accidentally. >> >> That's in theory very nice, but in practice security in everyday >> computing hasn't really been a concern before the massification of >> Internet access. >> >> (yes, there have been viruses on mainstream platforms such as the >> Amiga, but it was pretty minor compared to nowadays, and nobody cared >> about potential DoS attacks for example) >> >> So, as for XML files, we are talking about a DoS vulnerability. It >> will take more than a single file to make a DoS attack really >> annoying, which means the attacker must pollute the source of those >> XML files in a systemic way. It's not "a single XML file will smuggle >> confidential data out of the building". > > Antoine, > > A single, small,, malicious XML file can kill a machine (not just the > process parsing it) by sucking all available RAM. We are talking hard > lockup, reboot-to-fix-it sorts of DOC here.
Er no. We're talking about running out of RAM. Any reasonable person would already have a limit one way or another (rlimits anyone). _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
