mirror of https://github.com/python/cpython
merge 3.3
This commit is contained in:
Benjamin Peterson
commit
30f240150e
|
|
@ -14,9 +14,9 @@ Python's interfaces for processing XML are grouped in the ``xml`` package.
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
The XML modules are not secure against erroneous or maliciously
|
The XML modules are not secure against erroneous or maliciously
|
||||||
constructed data. If you need to parse untrusted or unauthenticated data see
|
constructed data. If you need to parse untrusted or
|
||||||
:ref:`xml-vulnerabilities`.
|
unauthenticated data see the :ref:`xml-vulnerabilities` and
|
||||||
|
:ref:`defused-packages` sections.
|
||||||
|
|
||||||
It is important to note that modules in the :mod:`xml` package require that
|
It is important to note that modules in the :mod:`xml` package require that
|
||||||
there be at least one SAX-compliant XML parser available. The Expat parser is
|
there be at least one SAX-compliant XML parser available. The Expat parser is
|
||||||
|
|
@ -46,16 +46,15 @@ The XML handling submodules are:
|
||||||
.. _xml-vulnerabilities:
|
.. _xml-vulnerabilities:
|
||||||
|
|
||||||
XML vulnerabilities
|
XML vulnerabilities
|
||||||
===================
|
-------------------
|
||||||
|
|
||||||
The XML processing modules are not secure against maliciously constructed data.
|
The XML processing modules are not secure against maliciously constructed data.
|
||||||
An attacker can abuse vulnerabilities for e.g. denial of service attacks, to
|
An attacker can abuse XML features to carry out denial of service attacks,
|
||||||
access local files, to generate network connections to other machines, or
|
access local files, generate network connections to other machines, or
|
||||||
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
|
circumvent firewalls.
|
||||||
like inline `DTD`_ (document type definition) with entities.
|
|
||||||
|
|
||||||
The following table gives an overview of the known attacks and if the various
|
The following table gives an overview of the known attacks and whether
|
||||||
modules are vulnerable to them.
|
the various modules are vulnerable to them.
|
||||||
|
|
||||||
========================= ======== ========= ========= ======== =========
|
========================= ======== ========= ========= ======== =========
|
||||||
kind sax etree minidom pulldom xmlrpc
|
kind sax etree minidom pulldom xmlrpc
|
||||||
|
|
@ -68,7 +67,7 @@ decompression bomb No No No No **Yes**
|
||||||
========================= ======== ========= ========= ======== =========
|
========================= ======== ========= ========= ======== =========
|
||||||
|
|
||||||
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
|
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a
|
||||||
ParserError when an entity occurs.
|
:exc:`ParserError` when an entity occurs.
|
||||||
2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
|
2. :mod:`xml.dom.minidom` doesn't expand external entities and simply returns
|
||||||
the unexpanded entity verbatim.
|
the unexpanded entity verbatim.
|
||||||
3. :mod:`xmlrpclib` doesn't expand external entities and omits them.
|
3. :mod:`xmlrpclib` doesn't expand external entities and omits them.
|
||||||
|
|
@ -77,23 +76,21 @@ decompression bomb No No No No **Yes**
|
||||||
billion laughs / exponential entity expansion
|
billion laughs / exponential entity expansion
|
||||||
The `Billion Laughs`_ attack -- also known as exponential entity expansion --
|
The `Billion Laughs`_ attack -- also known as exponential entity expansion --
|
||||||
uses multiple levels of nested entities. Each entity refers to another entity
|
uses multiple levels of nested entities. Each entity refers to another entity
|
||||||
several times, the final entity definition contains a small string. Eventually
|
several times, and the final entity definition contains a small string.
|
||||||
the small string is expanded to several gigabytes. The exponential expansion
|
The exponential expansion results in several gigabytes of text and
|
||||||
consumes lots of CPU time, too.
|
consumes lots of memory and CPU time.
|
||||||
|
|
||||||
quadratic blowup entity expansion
|
quadratic blowup entity expansion
|
||||||
A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses
|
A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses
|
||||||
entity expansion, too. Instead of nested entities it repeats one large entity
|
entity expansion, too. Instead of nested entities it repeats one large entity
|
||||||
with a couple of thousand chars over and over again. The attack isn't as
|
with a couple of thousand chars over and over again. The attack isn't as
|
||||||
efficient as the exponential case but it avoids triggering countermeasures of
|
efficient as the exponential case but it avoids triggering parser countermeasures
|
||||||
parsers against heavily nested entities.
|
that forbid deeply-nested entities.
|
||||||
|
|
||||||
external entity expansion
|
external entity expansion
|
||||||
Entity declarations can contain more than just text for replacement. They can
|
Entity declarations can contain more than just text for replacement. They can
|
||||||
also point to external resources by public identifiers or system identifiers.
|
also point to external resources or local files. The XML
|
||||||
System identifiers are standard URIs or can refer to local files. The XML
|
parser accesses the resource and embeds the content into the XML document.
|
||||||
parser retrieves the resource with e.g. HTTP or FTP requests and embeds the
|
|
||||||
content into the XML document.
|
|
||||||
|
|
||||||
DTD retrieval
|
DTD retrieval
|
||||||
Some XML libraries like Python's :mod:`xml.dom.pulldom` retrieve document type
|
Some XML libraries like Python's :mod:`xml.dom.pulldom` retrieve document type
|
||||||
|
|
@ -101,31 +98,32 @@ DTD retrieval
|
||||||
implications as the external entity expansion issue.
|
implications as the external entity expansion issue.
|
||||||
|
|
||||||
decompression bomb
|
decompression bomb
|
||||||
The issue of decompression bombs (aka `ZIP bomb`_) apply to all XML libraries
|
Decompression bombs (aka `ZIP bomb`_) apply to all XML libraries
|
||||||
that can parse compressed XML stream like gzipped HTTP streams or LZMA-ed
|
that can parse compressed XML streams such as gzipped HTTP streams or
|
||||||
|
LZMA-compressed
|
||||||
files. For an attacker it can reduce the amount of transmitted data by three
|
files. For an attacker it can reduce the amount of transmitted data by three
|
||||||
magnitudes or more.
|
magnitudes or more.
|
||||||
|
|
||||||
The documentation of `defusedxml`_ on PyPI has further information about
|
The documentation for `defusedxml`_ on PyPI has further information about
|
||||||
all known attack vectors with examples and references.
|
all known attack vectors with examples and references.
|
||||||
|
|
||||||
defused packages
|
.. _defused-packages:
|
||||||
----------------
|
|
||||||
|
The :mod:`defusedxml` and :mod:`defusedexpat` Packages
|
||||||
|
------------------------------------------------------
|
||||||
|
|
||||||
`defusedxml`_ is a pure Python package with modified subclasses of all stdlib
|
`defusedxml`_ is a pure Python package with modified subclasses of all stdlib
|
||||||
XML parsers that prevent any potentially malicious operation. The courses of
|
XML parsers that prevent any potentially malicious operation. Use of this
|
||||||
action are recommended for any server code that parses untrusted XML data. The
|
package is recommended for any server code that parses untrusted XML data. The
|
||||||
package also ships with example exploits and an extended documentation on more
|
package also ships with example exploits and extended documentation on more
|
||||||
XML exploits like xpath injection.
|
XML exploits such as XPath injection.
|
||||||
|
|
||||||
`defusedexpat`_ provides a modified libexpat and patched replacment
|
`defusedexpat`_ provides a modified libexpat and a patched
|
||||||
:mod:`pyexpat` extension module with countermeasures against entity expansion
|
:mod:`pyexpat` module that have countermeasures against entity expansion
|
||||||
DoS attacks. Defusedexpat still allows a sane and configurable amount of entity
|
DoS attacks. The :mod:`defusedexpat` module still allows a sane and configurable amount of entity
|
||||||
expansions. The modifications will be merged into future releases of Python.
|
expansions. The modifications may be included in some future release of Python,
|
||||||
|
but will not be included in any bugfix releases of
|
||||||
The workarounds and modifications are not included in patch releases as they
|
Python because they break backward compatibility.
|
||||||
break backward compatibility. After all inline DTD and entity expansion are
|
|
||||||
well-definied XML features.
|
|
||||||
|
|
||||||
|
|
||||||
.. _defusedxml: https://pypi.python.org/pypi/defusedxml/
|
.. _defusedxml: https://pypi.python.org/pypi/defusedxml/
|
||||||
|
|
@ -133,4 +131,3 @@ well-definied XML features.
|
||||||
.. _Billion Laughs: http://en.wikipedia.org/wiki/Billion_laughs
|
.. _Billion Laughs: http://en.wikipedia.org/wiki/Billion_laughs
|
||||||
.. _ZIP bomb: http://en.wikipedia.org/wiki/Zip_bomb
|
.. _ZIP bomb: http://en.wikipedia.org/wiki/Zip_bomb
|
||||||
.. _DTD: http://en.wikipedia.org/wiki/Document_Type_Definition
|
.. _DTD: http://en.wikipedia.org/wiki/Document_Type_Definition
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue