[Python-Dev] XML DoS vulnerabilities and exploits in Python
R. David Murray
rdmurray at bitdance.com
Wed Feb 20 23:45:58 CET 2013
On Thu, 21 Feb 2013 11:35:23 +1300, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:
> Carl Meyer wrote:
> > An XML parser that follows the XML standard is never safe to expose to
> > untrusted input.
>
> Does the XML standard really mandate that a conforming parser
> must blindly download any DTD URL given to it from the real
> live internet? Somehow I doubt that.
I don't believe it does. The DTD URL is, if I remember correctly,
specified as an identifier. The fact that you can often also download the
DTD from the location specified by the identifier is a secondary effect.
But, it's been a *long* time since I looked at XML :)
(Wikipedia says: "Programs for reading documents may not be required to
read the external subset.", which would seem to confirm that.)
--David
More information about the Python-Dev
mailing list