Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cpython
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
cpython
Commits
768f6a53
Commit
768f6a53
authored
Mar 26, 2013
by
Christian Heimes
Browse files
Options
Browse Files
Download
Plain Diff
Issue 17538: Document XML vulnerabilties
parents
c40f97f8
7380a672
Changes
9
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
158 additions
and
0 deletions
+158
-0
Doc/library/pyexpat.rst
Doc/library/pyexpat.rst
+7
-0
Doc/library/xml.dom.minidom.rst
Doc/library/xml.dom.minidom.rst
+8
-0
Doc/library/xml.dom.pulldom.rst
Doc/library/xml.dom.pulldom.rst
+8
-0
Doc/library/xml.etree.elementtree.rst
Doc/library/xml.etree.elementtree.rst
+7
-0
Doc/library/xml.rst
Doc/library/xml.rst
+104
-0
Doc/library/xml.sax.rst
Doc/library/xml.sax.rst
+8
-0
Doc/library/xmlrpc.client.rst
Doc/library/xmlrpc.client.rst
+7
-0
Doc/library/xmlrpc.server.rst
Doc/library/xmlrpc.server.rst
+7
-0
Misc/NEWS
Misc/NEWS
+2
-0
No files found.
Doc/library/pyexpat.rst
View file @
768f6a53
...
@@ -14,6 +14,13 @@
...
@@ -14,6 +14,13 @@
references to these attributes should be marked using the :member: role.
references to these attributes should be marked using the :member: role.
.. warning::
The :mod:`pyexpat` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
.. index:: single: Expat
.. index:: single: Expat
The :mod:`xml.parsers.expat` module is a Python interface to the Expat
The :mod:`xml.parsers.expat` module is a Python interface to the Expat
...
...
Doc/library/xml.dom.minidom.rst
View file @
768f6a53
...
@@ -17,6 +17,14 @@ to be simpler than the full DOM and also significantly smaller. Users who are
...
@@ -17,6 +17,14 @@ to be simpler than the full DOM and also significantly smaller. Users who are
not already proficient with the DOM should consider using the
not already proficient with the DOM should consider using the
:mod:`xml.etree.ElementTree` module for their XML processing instead
:mod:`xml.etree.ElementTree` module for their XML processing instead
.. warning::
The :mod:`xml.dom.minidom` module is not secure against
maliciously constructed data. If you need to parse untrusted or
unauthenticated data see :ref:`xml-vulnerabilities`.
DOM applications typically start by parsing some XML into a DOM. With
DOM applications typically start by parsing some XML into a DOM. With
:mod:`xml.dom.minidom`, this is done through the parse functions::
:mod:`xml.dom.minidom`, this is done through the parse functions::
...
...
Doc/library/xml.dom.pulldom.rst
View file @
768f6a53
...
@@ -17,6 +17,14 @@ processing model together with callbacks, the user of a pull parser is
...
@@ -17,6 +17,14 @@ processing model together with callbacks, the user of a pull parser is
responsible for explicitly pulling events from the stream, looping over those
responsible for explicitly pulling events from the stream, looping over those
events until either processing is finished or an error condition occurs.
events until either processing is finished or an error condition occurs.
.. warning::
The :mod:`xml.dom.pulldom` module is not secure against
maliciously constructed data. If you need to parse untrusted or
unauthenticated data see :ref:`xml-vulnerabilities`.
Example::
Example::
from xml.dom import pulldom
from xml.dom import pulldom
...
...
Doc/library/xml.etree.elementtree.rst
View file @
768f6a53
...
@@ -12,6 +12,13 @@ for parsing and creating XML data.
...
@@ -12,6 +12,13 @@ for parsing and creating XML data.
This module will use a fast implementation whenever available.
This module will use a fast implementation whenever available.
The :mod:`xml.etree.cElementTree` module is deprecated.
The :mod:`xml.etree.cElementTree` module is deprecated.
.. warning::
The :mod:`xml.etree.ElementTree` module is not secure against
maliciously constructed data. If you need to parse untrusted or
unauthenticated data see :ref:`xml-vulnerabilities`.
Tutorial
Tutorial
--------
--------
...
...
Doc/library/xml.rst
View file @
768f6a53
...
@@ -3,8 +3,21 @@
...
@@ -3,8 +3,21 @@
XML
Processing
Modules
XML
Processing
Modules
======================
======================
..
module
::
xml
:
synopsis
:
Package
containing
XML
processing
modules
..
sectionauthor
::
Christian
Heimes
<
christian
@
python
.
org
>
..
sectionauthor
::
Georg
Brandl
<
georg
@
python
.
org
>
Python
's interfaces for processing XML are grouped in the ``xml`` package.
Python
's interfaces for processing XML are grouped in the ``xml`` package.
.. warning::
The XML modules are not secure against erroneous or maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
It is important to note that modules in the :mod:`xml` package require that
It is important to note that modules in the :mod:`xml` package require that
there be at least one SAX-compliant XML parser available. The Expat parser is
there be at least one SAX-compliant XML parser available. The Expat parser is
included with Python, so the :mod:`xml.parsers.expat` module will always be
included with Python, so the :mod:`xml.parsers.expat` module will always be
...
@@ -27,3 +40,94 @@ The XML handling submodules are:
...
@@ -27,3 +40,94 @@ The XML handling submodules are:
* :mod:`xml.sax`: SAX2 base classes and convenience functions
* :mod:`xml.sax`: SAX2 base classes and convenience functions
* :mod:`xml.parsers.expat`: the Expat parser binding
* :mod:`xml.parsers.expat`: the Expat parser binding
.. _xml-vulnerabilities:
XML vulnerabilities
===================
The XML processing modules are not secure against maliciously constructed data.
An attacker can abuse vulnerabilities for e.g. denial of service attacks, to
access local files, to generate network connections to other machines, or
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
like inline `DTD`_ (document type definition) with entities.
========================= ======== ========= ========= ======== =========
kind sax etree minidom pulldom xmlrpc
========================= ======== ========= ========= ======== =========
billion laughs **True** **True** **True** **True** **True**
quadratic blowup **True** **True** **True** **True** **True**
external entity expansion **True** False (1) False (2) **True** False (3)
DTD retrieval **True** False False **True** False
decompression bomb False False False False **True**
========================= ======== ========= ========= ======== =========
1. :mod:`xml.etree.ElementTree` doesn'
t
expand
external
entities
and
raises
a
ParserError
when
an
entity
occurs
.
2.
:
mod
:`
xml
.
dom
.
minidom
`
doesn
't expand external entities and simply returns
the unexpanded entity verbatim.
3. :mod:`xmlrpclib` doesn'
t
expand
external
entities
and
omits
them
.
billion
laughs
/
exponential
entity
expansion
The
`
Billion
Laughs
`
_
attack
--
also
known
as
exponential
entity
expansion
--
uses
multiple
levels
of
nested
entities
.
Each
entity
refers
to
another
entity
several
times
,
the
final
entity
definition
contains
a
small
string
.
Eventually
the
small
string
is
expanded
to
several
gigabytes
.
The
exponential
expansion
consumes
lots
of
CPU
time
,
too
.
quadratic
blowup
entity
expansion
A
quadratic
blowup
attack
is
similar
to
a
`
Billion
Laughs
`
_
attack
;
it
abuses
entity
expansion
,
too
.
Instead
of
nested
entities
it
repeats
one
large
entity
with
a
couple
of
thousand
chars
over
and
over
again
.
The
attack
isn
't as
efficient as the exponential case but it avoids triggering countermeasures of
parsers against heavily nested entities.
external entity expansion
Entity declarations can contain more than just text for replacement. They can
also point to external resources by public identifiers or system identifiers.
System identifiers are standard URIs or can refer to local files. The XML
parser retrieves the resource with e.g. HTTP or FTP requests and embeds the
content into the XML document.
DTD retrieval
Some XML libraries like Python'
s
mod
:
'xml.dom.pulldom'
retrieve
document
type
definitions
from
remote
or
local
locations
.
The
feature
has
similar
implications
as
the
external
entity
expansion
issue
.
decompression
bomb
The
issue
of
decompression
bombs
(
aka
`
ZIP
bomb
`
_
)
apply
to
all
XML
libraries
that
can
parse
compressed
XML
stream
like
gzipped
HTTP
streams
or
LZMA
-
ed
files
.
For
an
attacker
it
can
reduce
the
amount
of
transmitted
data
by
three
magnitudes
or
more
.
The
documentation
of
`
defusedxml
`
_
on
PyPI
has
further
information
about
all
known
attack
vectors
with
examples
and
references
.
defused
packages
----------------
`
defusedxml
`
_
is
a
pure
Python
package
with
modified
subclasses
of
all
stdlib
XML
parsers
that
prevent
any
potentially
malicious
operation
.
The
courses
of
action
are
recommended
for
any
server
code
that
parses
untrusted
XML
data
.
The
package
also
ships
with
example
exploits
and
an
extended
documentation
on
more
XML
exploits
like
xpath
injection
.
`
defusedexpat
`
_
provides
a
modified
libexpat
and
patched
replacment
:
mod
:`
pyexpat
`
extension
module
with
countermeasures
against
entity
expansion
DoS
attacks
.
Defusedexpat
still
allows
a
sane
and
configurable
amount
of
entity
expansions
.
The
modifications
will
be
merged
into
future
releases
of
Python
.
The
workarounds
and
modifications
are
not
included
in
patch
releases
as
they
break
backward
compatibility
.
After
all
inline
DTD
and
entity
expansion
are
well
-
definied
XML
features
.
..
_defusedxml
:
<
https
://
pypi
.
python
.
org
/
pypi
/
defusedxml
/>
..
_defusedexpat
:
<
https
://
pypi
.
python
.
org
/
pypi
/
defusedexpat
/>
..
_Billion
Laughs
:
http
://
en
.
wikipedia
.
org
/
wiki
/
Billion_laughs
..
_ZIP
bomb
:
http
://
en
.
wikipedia
.
org
/
wiki
/
Zip_bomb
..
_DTD
:
http
://
en
.
wikipedia
.
org
/
wiki
/
Document_Type_Definition
Doc/library/xml.sax.rst
View file @
768f6a53
...
@@ -13,6 +13,14 @@ Simple API for XML (SAX) interface for Python. The package itself provides the
...
@@ -13,6 +13,14 @@ Simple API for XML (SAX) interface for Python. The package itself provides the
SAX exceptions and the convenience functions which will be most used by users of
SAX exceptions and the convenience functions which will be most used by users of
the SAX API.
the SAX API.
.. warning::
The :mod:`xml.sax` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
The convenience functions are:
The convenience functions are:
...
...
Doc/library/xmlrpc.client.rst
View file @
768f6a53
...
@@ -21,6 +21,13 @@ supports writing XML-RPC client code; it handles all the details of translating
...
@@ -21,6 +21,13 @@ supports writing XML-RPC client code; it handles all the details of translating
between conformable Python objects and XML on the wire.
between conformable Python objects and XML on the wire.
.. warning::
The :mod:`xmlrpc.client` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
.. class:: ServerProxy(uri, transport=None, encoding=None, verbose=False, \
.. class:: ServerProxy(uri, transport=None, encoding=None, verbose=False, \
allow_none=False, use_datetime=False, \
allow_none=False, use_datetime=False, \
use_builtin_types=False)
use_builtin_types=False)
...
...
Doc/library/xmlrpc.server.rst
View file @
768f6a53
...
@@ -16,6 +16,13 @@ servers written in Python. Servers can either be free standing, using
...
@@ -16,6 +16,13 @@ servers written in Python. Servers can either be free standing, using
:class:`CGIXMLRPCRequestHandler`.
:class:`CGIXMLRPCRequestHandler`.
.. warning::
The :mod:`xmlrpc.client` module is not secure against maliciously
constructed data. If you need to parse untrusted or unauthenticated data see
:ref:`xml-vulnerabilities`.
.. class:: SimpleXMLRPCServer(addr, requestHandler=SimpleXMLRPCRequestHandler,\
.. class:: SimpleXMLRPCServer(addr, requestHandler=SimpleXMLRPCRequestHandler,\
logRequests=True, allow_none=False, encoding=None,\
logRequests=True, allow_none=False, encoding=None,\
bind_and_activate=True, use_builtin_types=False)
bind_and_activate=True, use_builtin_types=False)
...
...
Misc/NEWS
View file @
768f6a53
...
@@ -882,6 +882,8 @@ Tools/Demos
...
@@ -882,6 +882,8 @@ Tools/Demos
Documentation
Documentation
-------------
-------------
-
Issue
17538
:
Document
XML
vulnerabilties
-
Issue
#
16642
:
sched
.
scheduler
timefunc
initial
default
is
time
.
monotonic
.
-
Issue
#
16642
:
sched
.
scheduler
timefunc
initial
default
is
time
.
monotonic
.
Patch
by
Ramchandra
Apte
Patch
by
Ramchandra
Apte
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment