Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cpython
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
cpython
Commits
1df04e88
Commit
1df04e88
authored
Mar 26, 2013
by
Christian Heimes
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Issue 17538: Document XML vulnerabilties
parent
2323cb79
Changes
10
Show whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
187 additions
and
0 deletions
+187
-0
Doc/library/markup.rst
Doc/library/markup.rst
+1
-0
Doc/library/pyexpat.rst
Doc/library/pyexpat.rst
+7
-0
Doc/library/xml.dom.minidom.rst
Doc/library/xml.dom.minidom.rst
+8
-0
Doc/library/xml.dom.pulldom.rst
Doc/library/xml.dom.pulldom.rst
+8
-0
Doc/library/xml.etree.elementtree.rst
Doc/library/xml.etree.elementtree.rst
+8
-0
Doc/library/xml.rst
Doc/library/xml.rst
+131
-0
Doc/library/xml.sax.rst
Doc/library/xml.sax.rst
+8
-0
Doc/library/xmlrpc.client.rst
Doc/library/xmlrpc.client.rst
+7
-0
Doc/library/xmlrpc.server.rst
Doc/library/xmlrpc.server.rst
+7
-0
Misc/NEWS
Misc/NEWS
+2
-0
No files found.
Doc/library/markup.rst
View file @
1df04e88
...
@@ -23,6 +23,7 @@ definition of the Python bindings for the DOM and SAX interfaces.
...
@@ -23,6 +23,7 @@ definition of the Python bindings for the DOM and SAX interfaces.
html.rst
html.rst
html.parser.rst
html.parser.rst
html.entities.rst
html.entities.rst
xml.rst
xml.etree.elementtree.rst
xml.etree.elementtree.rst
xml.dom.rst
xml.dom.rst
xml.dom.minidom.rst
xml.dom.minidom.rst
...
...
Doc/library/pyexpat.rst
View file @
1df04e88
...
@@ -14,6 +14,13 @@
...
@@ -14,6 +14,13 @@
references to these attributes should be marked using the :member: role.
references to these attributes should be marked using the :member: role.
.. warning::
The :mod:`pyexpat` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
.. index:: single: Expat
.. index:: single: Expat
The :mod:`xml.parsers.expat` module is a Python interface to the Expat
The :mod:`xml.parsers.expat` module is a Python interface to the Expat
...
...
Doc/library/xml.dom.minidom.rst
View file @
1df04e88
...
@@ -17,6 +17,14 @@ to be simpler than the full DOM and also significantly smaller. Users who are
...
@@ -17,6 +17,14 @@ to be simpler than the full DOM and also significantly smaller. Users who are
not already proficient with the DOM should consider using the
not already proficient with the DOM should consider using the
:mod:`xml.etree.ElementTree` module for their XML processing instead
:mod:`xml.etree.ElementTree` module for their XML processing instead
.. warning::
The :mod:`xml.dom.minidom` module is not secure against
maliciously constructed data. If you need to parse untrusted or
unauthenticated data see :ref:`xml-vulnerabilities`.
DOM applications typically start by parsing some XML into a DOM. With
DOM applications typically start by parsing some XML into a DOM. With
:mod:`xml.dom.minidom`, this is done through the parse functions::
:mod:`xml.dom.minidom`, this is done through the parse functions::
...
...
Doc/library/xml.dom.pulldom.rst
View file @
1df04e88
...
@@ -17,6 +17,14 @@ processing model together with callbacks, the user of a pull parser is
...
@@ -17,6 +17,14 @@ processing model together with callbacks, the user of a pull parser is
responsible for explicitly pulling events from the stream, looping over those
responsible for explicitly pulling events from the stream, looping over those
events until either processing is finished or an error condition occurs.
events until either processing is finished or an error condition occurs.
.. warning::
The :mod:`xml.dom.pulldom` module is not secure against
maliciously constructed data. If you need to parse untrusted or
unauthenticated data see :ref:`xml-vulnerabilities`.
Example::
Example::
from xml.dom import pulldom
from xml.dom import pulldom
...
...
Doc/library/xml.etree.elementtree.rst
View file @
1df04e88
...
@@ -13,6 +13,14 @@ The :class:`Element` type is a flexible container object, designed to store
...
@@ -13,6 +13,14 @@ The :class:`Element` type is a flexible container object, designed to store
hierarchical data structures in memory. The type can be described as a cross
hierarchical data structures in memory. The type can be described as a cross
between a list and a dictionary.
between a list and a dictionary.
.. warning::
The :mod:`xml.etree.ElementTree` module is not secure against
maliciously constructed data. If you need to parse untrusted or
unauthenticated data see :ref:`xml-vulnerabilities`.
Each element has a number of properties associated with it:
Each element has a number of properties associated with it:
* a tag which is a string identifying what kind of data this element represents
* a tag which is a string identifying what kind of data this element represents
...
...
Doc/library/xml.rst
0 → 100644
View file @
1df04e88
..
_xml
:
XML
Processing
Modules
======================
..
module
::
xml
:
synopsis
:
Package
containing
XML
processing
modules
..
sectionauthor
::
Christian
Heimes
<
christian
@
python
.
org
>
..
sectionauthor
::
Georg
Brandl
<
georg
@
python
.
org
>
Python
's interfaces for processing XML are grouped in the ``xml`` package.
.. warning::
The XML modules are not secure against erroneous or maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
It is important to note that modules in the :mod:`xml` package require that
there be at least one SAX-compliant XML parser available. The Expat parser is
included with Python, so the :mod:`xml.parsers.expat` module will always be
available.
The documentation for the :mod:`xml.dom` and :mod:`xml.sax` packages are the
definition of the Python bindings for the DOM and SAX interfaces.
The XML handling submodules are:
* :mod:`xml.etree.ElementTree`: the ElementTree API, a simple and lightweight
..
* :mod:`xml.dom`: the DOM API definition
* :mod:`xml.dom.minidom`: a lightweight DOM implementation
* :mod:`xml.dom.pulldom`: support for building partial DOM trees
..
* :mod:`xml.sax`: SAX2 base classes and convenience functions
* :mod:`xml.parsers.expat`: the Expat parser binding
.. _xml-vulnerabilities:
XML vulnerabilities
===================
The XML processing modules are not secure against maliciously constructed data.
An attacker can abuse vulnerabilities for e.g. denial of service attacks, to
access local files, to generate network connections to other machines, or
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
like inline `DTD`_ (document type definition) with entities.
========================= ======== ========= ========= ======== =========
kind sax etree minidom pulldom xmlrpc
========================= ======== ========= ========= ======== =========
billion laughs **True** **True** **True** **True** **True**
quadratic blowup **True** **True** **True** **True** **True**
external entity expansion **True** False (1) False (2) **True** False (3)
DTD retrieval **True** False False **True** False
decompression bomb False False False False **True**
========================= ======== ========= ========= ======== =========
1. :mod:`xml.etree.ElementTree` doesn'
t
expand
external
entities
and
raises
a
ParserError
when
an
entity
occurs
.
2.
:
mod
:`
xml
.
dom
.
minidom
`
doesn
't expand external entities and simply returns
the unexpanded entity verbatim.
3. :mod:`xmlrpclib` doesn'
t
expand
external
entities
and
omits
them
.
billion
laughs
/
exponential
entity
expansion
The
`
Billion
Laughs
`
_
attack
--
also
known
as
exponential
entity
expansion
--
uses
multiple
levels
of
nested
entities
.
Each
entity
refers
to
another
entity
several
times
,
the
final
entity
definition
contains
a
small
string
.
Eventually
the
small
string
is
expanded
to
several
gigabytes
.
The
exponential
expansion
consumes
lots
of
CPU
time
,
too
.
quadratic
blowup
entity
expansion
A
quadratic
blowup
attack
is
similar
to
a
`
Billion
Laughs
`
_
attack
;
it
abuses
entity
expansion
,
too
.
Instead
of
nested
entities
it
repeats
one
large
entity
with
a
couple
of
thousand
chars
over
and
over
again
.
The
attack
isn
't as
efficient as the exponential case but it avoids triggering countermeasures of
parsers against heavily nested entities.
external entity expansion
Entity declarations can contain more than just text for replacement. They can
also point to external resources by public identifiers or system identifiers.
System identifiers are standard URIs or can refer to local files. The XML
parser retrieves the resource with e.g. HTTP or FTP requests and embeds the
content into the XML document.
DTD retrieval
Some XML libraries like Python'
s
mod
:
'xml.dom.pulldom'
retrieve
document
type
definitions
from
remote
or
local
locations
.
The
feature
has
similar
implications
as
the
external
entity
expansion
issue
.
decompression
bomb
The
issue
of
decompression
bombs
(
aka
`
ZIP
bomb
`
_
)
apply
to
all
XML
libraries
that
can
parse
compressed
XML
stream
like
gzipped
HTTP
streams
or
LZMA
-
ed
files
.
For
an
attacker
it
can
reduce
the
amount
of
transmitted
data
by
three
magnitudes
or
more
.
The
documentation
of
`
defusedxml
`
_
on
PyPI
has
further
information
about
all
known
attack
vectors
with
examples
and
references
.
defused
packages
----------------
`
defusedxml
`
_
is
a
pure
Python
package
with
modified
subclasses
of
all
stdlib
XML
parsers
that
prevent
any
potentially
malicious
operation
.
The
courses
of
action
are
recommended
for
any
server
code
that
parses
untrusted
XML
data
.
The
package
also
ships
with
example
exploits
and
an
extended
documentation
on
more
XML
exploits
like
xpath
injection
.
`
defusedexpat
`
_
provides
a
modified
libexpat
and
patched
replacment
:
mod
:`
pyexpat
`
extension
module
with
countermeasures
against
entity
expansion
DoS
attacks
.
Defusedexpat
still
allows
a
sane
and
configurable
amount
of
entity
expansions
.
The
modifications
will
be
merged
into
future
releases
of
Python
.
The
workarounds
and
modifications
are
not
included
in
patch
releases
as
they
break
backward
compatibility
.
After
all
inline
DTD
and
entity
expansion
are
well
-
definied
XML
features
.
..
_defusedxml
:
<
https
://
pypi
.
python
.
org
/
pypi
/
defusedxml
/>
..
_defusedexpat
:
<
https
://
pypi
.
python
.
org
/
pypi
/
defusedexpat
/>
..
_Billion
Laughs
:
http
://
en
.
wikipedia
.
org
/
wiki
/
Billion_laughs
..
_ZIP
bomb
:
http
://
en
.
wikipedia
.
org
/
wiki
/
Zip_bomb
..
_DTD
:
http
://
en
.
wikipedia
.
org
/
wiki
/
Document_Type_Definition
Doc/library/xml.sax.rst
View file @
1df04e88
...
@@ -13,6 +13,14 @@ Simple API for XML (SAX) interface for Python. The package itself provides the
...
@@ -13,6 +13,14 @@ Simple API for XML (SAX) interface for Python. The package itself provides the
SAX exceptions and the convenience functions which will be most used by users of
SAX exceptions and the convenience functions which will be most used by users of
the SAX API.
the SAX API.
.. warning::
The :mod:`xml.sax` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
The convenience functions are:
The convenience functions are:
...
...
Doc/library/xmlrpc.client.rst
View file @
1df04e88
...
@@ -21,6 +21,13 @@ supports writing XML-RPC client code; it handles all the details of translating
...
@@ -21,6 +21,13 @@ supports writing XML-RPC client code; it handles all the details of translating
between conformable Python objects and XML on the wire.
between conformable Python objects and XML on the wire.
.. warning::
The :mod:`xmlrpc.client` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
.. class:: ServerProxy(uri, transport=None, encoding=None, verbose=False, allow_none=False, use_datetime=False)
.. class:: ServerProxy(uri, transport=None, encoding=None, verbose=False, allow_none=False, use_datetime=False)
A :class:`ServerProxy` instance is an object that manages communication with a
A :class:`ServerProxy` instance is an object that manages communication with a
...
...
Doc/library/xmlrpc.server.rst
View file @
1df04e88
...
@@ -16,6 +16,13 @@ servers written in Python. Servers can either be free standing, using
...
@@ -16,6 +16,13 @@ servers written in Python. Servers can either be free standing, using
:class:`CGIXMLRPCRequestHandler`.
:class:`CGIXMLRPCRequestHandler`.
.. warning::
The :mod:`xmlrpc.client` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
.. class:: SimpleXMLRPCServer(addr, requestHandler=SimpleXMLRPCRequestHandler, logRequests=True, allow_none=False, encoding=None, bind_and_activate=True)
.. class:: SimpleXMLRPCServer(addr, requestHandler=SimpleXMLRPCRequestHandler, logRequests=True, allow_none=False, encoding=None, bind_and_activate=True)
Create a new server instance. This class provides methods for registration of
Create a new server instance. This class provides methods for registration of
...
...
Misc/NEWS
View file @
1df04e88
...
@@ -1156,6 +1156,8 @@ Tools/Demos
...
@@ -1156,6 +1156,8 @@ Tools/Demos
Documentation
Documentation
-------------
-------------
- Issue 17538: Document XML vulnerabilties
- Issue #17047: remove doubled words in docs and docstrings
- Issue #17047: remove doubled words in docs and docstrings
reported by Serhiy Storchaka and Matthew Barnett.
reported by Serhiy Storchaka and Matthew Barnett.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment