merge with 3.3

This commit is contained in:
Georg Brandl 2013-10-12 18:19:48 +02:00
commit 32b2c62db4
1 changed files with 7 additions and 5 deletions

View File

@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or
to or circumvent firewalls. The attacks on XML abuse unfamiliar features
like inline `DTD`_ (document type definition) with entities.
The following table gives an overview of the known attacks and if the various
modules are vulnerable to them.
========================= ======== ========= ========= ======== =========
kind sax etree minidom pulldom xmlrpc
========================= ======== ========= ========= ======== =========
billion laughs **True** **True** **True** **True** **True**
quadratic blowup **True** **True** **True** **True** **True**
external entity expansion **True** False (1) False (2) **True** False (3)
DTD retrieval **True** False False **True** False
decompression bomb False False False False **True**
billion laughs **Yes** **Yes** **Yes** **Yes** **Yes**
quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes**
external entity expansion **Yes** No (1) No (2) **Yes** No (3)
DTD retrieval **Yes** No No **Yes** No
decompression bomb No No No No **Yes**
========================= ======== ========= ========= ======== =========
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a