2012-10-06 08:49:34 -03:00
|
|
|
.. _xml:
|
|
|
|
|
|
|
|
XML Processing Modules
|
|
|
|
======================
|
|
|
|
|
2013-03-26 13:35:55 -03:00
|
|
|
.. module:: xml
|
|
|
|
:synopsis: Package containing XML processing modules
|
2016-06-11 16:02:54 -03:00
|
|
|
|
2013-03-26 13:35:55 -03:00
|
|
|
.. sectionauthor:: Christian Heimes <christian@python.org>
|
|
|
|
.. sectionauthor:: Georg Brandl <georg@python.org>
|
|
|
|
|
2016-06-11 16:02:54 -03:00
|
|
|
**Source code:** :source:`Lib/xml/`
|
|
|
|
|
|
|
|
--------------
|
2013-03-26 13:35:55 -03:00
|
|
|
|
2012-10-06 08:49:34 -03:00
|
|
|
Python's interfaces for processing XML are grouped in the ``xml`` package.
|
|
|
|
|
2013-03-26 13:35:55 -03:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
The XML modules are not secure against erroneous or maliciously
|
2014-02-15 16:33:44 -04:00
|
|
|
constructed data. If you need to parse untrusted or
|
|
|
|
unauthenticated data see the :ref:`xml-vulnerabilities` and
|
2020-09-04 17:57:48 -03:00
|
|
|
:ref:`defusedxml-package` sections.
|
2013-03-26 13:47:23 -03:00
|
|
|
|
2012-10-06 08:49:34 -03:00
|
|
|
It is important to note that modules in the :mod:`xml` package require that
|
|
|
|
there be at least one SAX-compliant XML parser available. The Expat parser is
|
|
|
|
included with Python, so the :mod:`xml.parsers.expat` module will always be
|
|
|
|
available.
|
|
|
|
|
|
|
|
The documentation for the :mod:`xml.dom` and :mod:`xml.sax` packages are the
|
|
|
|
definition of the Python bindings for the DOM and SAX interfaces.
|
|
|
|
|
|
|
|
The XML handling submodules are:
|
|
|
|
|
|
|
|
* :mod:`xml.etree.ElementTree`: the ElementTree API, a simple and lightweight
|
2014-01-31 13:30:36 -04:00
|
|
|
XML processor
|
2012-10-06 08:49:34 -03:00
|
|
|
|
|
|
|
..
|
|
|
|
|
|
|
|
* :mod:`xml.dom`: the DOM API definition
|
2013-12-21 20:57:01 -04:00
|
|
|
* :mod:`xml.dom.minidom`: a minimal DOM implementation
|
2012-10-06 08:49:34 -03:00
|
|
|
* :mod:`xml.dom.pulldom`: support for building partial DOM trees
|
|
|
|
|
|
|
|
..
|
|
|
|
|
|
|
|
* :mod:`xml.sax`: SAX2 base classes and convenience functions
|
|
|
|
* :mod:`xml.parsers.expat`: the Expat parser binding
|
2013-03-26 13:35:55 -03:00
|
|
|
|
|
|
|
|
|
|
|
.. _xml-vulnerabilities:
|
|
|
|
|
|
|
|
XML vulnerabilities
|
2014-02-15 16:33:44 -04:00
|
|
|
-------------------
|
2013-03-26 13:35:55 -03:00
|
|
|
|
|
|
|
The XML processing modules are not secure against maliciously constructed data.
|
2014-02-15 16:33:44 -04:00
|
|
|
An attacker can abuse XML features to carry out denial of service attacks,
|
|
|
|
access local files, generate network connections to other machines, or
|
|
|
|
circumvent firewalls.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
2014-02-15 16:33:44 -04:00
|
|
|
The following table gives an overview of the known attacks and whether
|
|
|
|
the various modules are vulnerable to them.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
2021-08-29 11:08:24 -03:00
|
|
|
========================= ================== ================== ================== ================== ==================
|
|
|
|
kind sax etree minidom pulldom xmlrpc
|
|
|
|
========================= ================== ================== ================== ================== ==================
|
|
|
|
billion laughs **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1)
|
|
|
|
quadratic blowup **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1) **Vulnerable** (1)
|
|
|
|
external entity expansion Safe (5) Safe (2) Safe (3) Safe (5) Safe (4)
|
|
|
|
`DTD`_ retrieval Safe (5) Safe Safe Safe (5) Safe
|
|
|
|
decompression bomb Safe Safe Safe Safe **Vulnerable**
|
2024-02-21 07:26:16 -04:00
|
|
|
large tokens **Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6)
|
2021-08-29 11:08:24 -03:00
|
|
|
========================= ================== ================== ================== ================== ==================
|
|
|
|
|
|
|
|
1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
|
|
|
|
"quadratic blowup" vulnerabilities. Items still listed as vulnerable due to
|
|
|
|
potential reliance on system-provided libraries. Check
|
2023-11-25 19:40:19 -04:00
|
|
|
:const:`!pyexpat.EXPAT_VERSION`.
|
2021-08-29 11:08:24 -03:00
|
|
|
2. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
|
2023-07-29 02:48:10 -03:00
|
|
|
:exc:`~xml.etree.ElementTree.ParseError` when an entity occurs.
|
2021-08-29 11:08:24 -03:00
|
|
|
3. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
|
2013-03-26 13:35:55 -03:00
|
|
|
the unexpanded entity verbatim.
|
2023-07-29 02:48:10 -03:00
|
|
|
4. :mod:`xmlrpc.client` doesn't expand external entities and omits them.
|
2021-08-29 11:08:24 -03:00
|
|
|
5. Since Python 3.7.1, external general entities are no longer processed by
|
2018-12-19 02:05:14 -04:00
|
|
|
default.
|
2024-02-21 07:26:16 -04:00
|
|
|
6. Expat 2.6.0 and newer is not vulnerable to denial of service
|
|
|
|
through quadratic runtime caused by parsing large tokens.
|
|
|
|
Items still listed as vulnerable due to
|
|
|
|
potential reliance on system-provided libraries. Check
|
|
|
|
:const:`!pyexpat.EXPAT_VERSION`.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
|
|
|
|
|
|
|
billion laughs / exponential entity expansion
|
|
|
|
The `Billion Laughs`_ attack -- also known as exponential entity expansion --
|
|
|
|
uses multiple levels of nested entities. Each entity refers to another entity
|
2014-02-15 16:33:44 -04:00
|
|
|
several times, and the final entity definition contains a small string.
|
|
|
|
The exponential expansion results in several gigabytes of text and
|
|
|
|
consumes lots of memory and CPU time.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
|
|
|
quadratic blowup entity expansion
|
|
|
|
A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses
|
|
|
|
entity expansion, too. Instead of nested entities it repeats one large entity
|
|
|
|
with a couple of thousand chars over and over again. The attack isn't as
|
2014-02-15 16:33:44 -04:00
|
|
|
efficient as the exponential case but it avoids triggering parser countermeasures
|
2022-07-05 06:16:10 -03:00
|
|
|
that forbid deeply nested entities.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
|
|
|
external entity expansion
|
|
|
|
Entity declarations can contain more than just text for replacement. They can
|
2014-02-15 16:33:44 -04:00
|
|
|
also point to external resources or local files. The XML
|
|
|
|
parser accesses the resource and embeds the content into the XML document.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
2016-02-26 14:37:12 -04:00
|
|
|
`DTD`_ retrieval
|
2014-01-13 14:51:17 -04:00
|
|
|
Some XML libraries like Python's :mod:`xml.dom.pulldom` retrieve document type
|
2013-03-26 13:35:55 -03:00
|
|
|
definitions from remote or local locations. The feature has similar
|
|
|
|
implications as the external entity expansion issue.
|
|
|
|
|
|
|
|
decompression bomb
|
2014-02-15 16:33:44 -04:00
|
|
|
Decompression bombs (aka `ZIP bomb`_) apply to all XML libraries
|
|
|
|
that can parse compressed XML streams such as gzipped HTTP streams or
|
|
|
|
LZMA-compressed
|
2013-03-26 13:35:55 -03:00
|
|
|
files. For an attacker it can reduce the amount of transmitted data by three
|
|
|
|
magnitudes or more.
|
|
|
|
|
2024-02-21 07:26:16 -04:00
|
|
|
large tokens
|
|
|
|
Expat needs to re-parse unfinished tokens; without the protection
|
|
|
|
introduced in Expat 2.6.0, this can lead to quadratic runtime that can
|
|
|
|
be used to cause denial of service in the application parsing XML.
|
|
|
|
The issue is known as
|
|
|
|
`CVE-2023-52425 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425>`_.
|
|
|
|
|
2014-02-15 16:33:44 -04:00
|
|
|
The documentation for `defusedxml`_ on PyPI has further information about
|
2013-03-26 13:35:55 -03:00
|
|
|
all known attack vectors with examples and references.
|
|
|
|
|
2020-09-04 17:57:48 -03:00
|
|
|
.. _defusedxml-package:
|
2013-03-26 13:35:55 -03:00
|
|
|
|
2023-07-29 02:48:10 -03:00
|
|
|
The :mod:`!defusedxml` Package
|
|
|
|
------------------------------
|
2013-03-26 13:35:55 -03:00
|
|
|
|
2014-02-15 16:33:44 -04:00
|
|
|
`defusedxml`_ is a pure Python package with modified subclasses of all stdlib
|
|
|
|
XML parsers that prevent any potentially malicious operation. Use of this
|
|
|
|
package is recommended for any server code that parses untrusted XML data. The
|
|
|
|
package also ships with example exploits and extended documentation on more
|
|
|
|
XML exploits such as XPath injection.
|
2013-03-26 13:35:55 -03:00
|
|
|
|
|
|
|
|
2018-05-15 15:58:35 -03:00
|
|
|
.. _defusedxml: https://pypi.org/project/defusedxml/
|
2016-02-26 14:37:12 -04:00
|
|
|
.. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
|
|
|
|
.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
|
|
|
|
.. _DTD: https://en.wikipedia.org/wiki/Document_type_definition
|