On Wednesday, February 20, 2013 at 6:22 PM, Antoine Pitrou wrote: > On Wed, 20 Feb 2013 18:21:22 -0500 > Donald Stufft <donald.stu...@gmail.com (mailto:donald.stu...@gmail.com)> > wrote: > > On Wednesday, February 20, 2013 at 6:08 PM, Antoine Pitrou wrote: > > > > It's not a distributed DoS issue, it's a severe DoS vulnerabilities. A > > > > single 1 kB XML document can kill virtually any machine, even servers > > > > with more than hundred GB RAM. > > > > > > > > > > > > > Assuming an attacker can inject arbitrary XML. Not every XML document > > > is loaded from the Internet. > > > > > > > > > Even documents not loaded from the internet can be at risk. Often times > > security breaches are the result of a chain of actions. You can say "I'm > > not loading this XML from the internet, so therefore I am safe" but then > > you have another flaw (for example) where you unpack a zip file > > without verifying there are not absolute paths and suddenly your xml file > > has > > been replaces with a malicious one. > > > > > Assuming your ZIP file is coming from the untrusted Internet, indeed. > Again, this is the same assumption that you are grabbing some important > data from someone you can't trust. > >
No software you run on your computer grabs data from someone you don't trust and it all validates that even though you trust them they haven't been exploited? Like I said these sort of things are often caused by chaining several unrelated things together. > > Just because you are living in a Web-centric world doesn't mean > everyone does. There are a lot of use cases which are not impacted by > your security rules. Bugfix releases shouldn't break those use cases, > which means the security features should be mostly opt-in for 2.7 and > 3.3. > > Regards > > Antoine. > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org (mailto:Python-Dev@python.org) > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com > >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com