[XML-sig] defusedxml -- defusing XML bombs and other exploits
Wes Turner
wes.turner at gmail.com
Tue May 29 00:17:53 EDT 2018
defusedxml -- defusing XML bombs and other exploits
(I wasn't subscribed to this list. Forwarding this along re: defusedxml)
---------- Forwarded message ----------
From: *Wes Turner* <wes.turner at gmail.com>
Date: Monday, May 28, 2018
Subject: [Python-Dev] The history of PyXML
To: Serhiy Storchaka <storchaka at gmail.com>
Cc: "python-dev at python.org" <python-dev at python.org>, "xml-sig at python.org" <
xml-sig at python.org>
On Thursday, May 17, 2018, Serhiy Storchaka <storchaka at gmail.com> wrote:
> [...]
>
> I'm trying to figure out some intentions and fix possible bugs in the xml
> package.
defusedxml
https://pypi.org/project/defusedxml/
> XML bomb protection for Python stdlib modules
https://pypi.org/project/defusedxml/#how-to-avoid-xml-vulnerabilities
"""
Best practices
- Don’t allow DTDs
- Don’t expand entities
- Don’t resolve externals
- Limit parse depth
- Limit total input size
- Limit parse time
- Favor a SAX or iterparse-like parser for potential large data
- Validate and properly quote arguments to XSL transformations and XPath
queries
- Don’t use XPath expression from untrusted sources
- Don’t apply XSL transformations that come untrusted sources
"""
https://github.com/tiran/defusedxml
> The history of all commits could help.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turne
> r%40gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/xml-sig/attachments/20180529/89303c86/attachment.html>
More information about the xml-sig
mailing list