[Python-Dev] xml.sax and xml.dom fetch DTDs by default (was XML DoS vulnerabilities and exploits in Python)
Paul Boddie
paul at boddie.org.uk
Fri Feb 22 00:47:08 CET 2013
Perhaps related to the discussion of denial-of-service vulnerabilities is the
matter of controlling access to remote resources. I suppose that after the
following bug was closed, no improvements were made to the standard library:
http://bugs.python.org/issue2124
Do Python programs still visit the W3C site millions of times every day to
download DTDs that they are not, by default, able to remember from their last
visit?
Paul
More information about the Python-Dev
mailing list