Python - remote object protocols and security
Chris Angelico
rosuav at gmail.com
Mon Jul 15 11:53:21 EDT 2013
On Tue, Jul 16, 2013 at 1:42 AM, Burak Arslan
<burak.arslan at arskom.com.tr> wrote:
> On 07/15/13 13:57, Chris Angelico wrote:
>> But what I meant was that the [Json] protocol itself is designed with
>> security restrictions in mind. It's designed not to fetch additional
>> content from the network (as XML can),
>
> Can you explain how parsing XML can fetch data from the network?
I haven't looked into the details, but there was one among a list of
exploits that was being discussed a few months ago; it involved XML
schemas, I think, and quite a few generic XML parsers could be tricked
into fetching arbitrary documents. Whether this could be used for
anything more serious than a document-viewed receipt or a denial of
service (via latency) I don't know, but if nothing else, it's a vector
that JSON simply doesn't have.
ChrisA
More information about the Python-list
mailing list