Python - remote object protocols and security

Chris Angelico rosuav at gmail.com
Mon Jul 15 12:41:09 EDT 2013 

On Tue, Jul 16, 2013 at 2:31 AM, Burak Arslan
<burak.arslan at arskom.com.tr> wrote:
> On 07/15/13 16:53, Chris Angelico wrote:
>> I haven't looked into the details, but there was one among a list of
>> exploits that was being discussed a few months ago; it involved XML
>> schemas, I think, and quite a few generic XML parsers could be tricked
>> into fetching arbitrary documents. Whether this could be used for
>> anything more serious than a document-viewed receipt or a denial of
>> service (via latency) I don't know, but if nothing else, it's a vector
>> that JSON simply doesn't have. ChrisA
>
> I must have missed that exploit report, can you provide a link?
>
> Parsing arbitrary xml documents and parsing xml schema documents and
> applying xml schema semantics to these documents are two very different
> operations.

I don't remember all the details; it isn't something I took particular
note of, as I don't work much with XML. It was something involving
either a schema declaration or a DTD or something of the sort, where
normally no external lookup is required but there's an HTTP URL in
there and it's possible to force that to be resolved.

> Xml schemas are not "tricked" into fetching arbitrary documents,
> xs:include and xs:import fetch external documents, it's a well-known
> feature. If you don't want this, you should ship all of the schema
> documents together and generate the schemas in a way to not include any
> external references. So I'm surprised this was presented as a security
> exploit.

It was something that parsing a basic XML document could trigger, and
in an environment where you wouldn't normally expect extra HTTP
requests to be going out, hence "tricked".

> Json schemas also have similar functionality:
> http://json-schema.org/latest/json-schema-core.html#anchor30
>
> """
> if canonical dereferencing is used, the implementation will dereference
> this URI, and fetch the content at this URI;
> """
>
> So I don't understand how you're so sure of yourself, but to me, it
> seems like Json schemas have the same attack vectors.

Yes, but normal JSON data doesn't include schema references. Normal
XML data can and often does.

ChrisA

More information about the Python-list mailing list