|
|
|
@ -53,15 +53,17 @@ access local files, to generate network connections to other machines, or |
|
|
|
to or circumvent firewalls. The attacks on XML abuse unfamiliar features |
|
|
|
like inline `DTD`_ (document type definition) with entities. |
|
|
|
|
|
|
|
The following table gives an overview of the known attacks and if the various |
|
|
|
modules are vulnerable to them. |
|
|
|
|
|
|
|
========================= ======== ========= ========= ======== ========= |
|
|
|
kind sax etree minidom pulldom xmlrpc |
|
|
|
========================= ======== ========= ========= ======== ========= |
|
|
|
billion laughs **True** **True** **True** **True** **True** |
|
|
|
quadratic blowup **True** **True** **True** **True** **True** |
|
|
|
external entity expansion **True** False (1) False (2) **True** False (3) |
|
|
|
DTD retrieval **True** False False **True** False |
|
|
|
decompression bomb False False False False **True** |
|
|
|
billion laughs **Yes** **Yes** **Yes** **Yes** **Yes** |
|
|
|
quadratic blowup **Yes** **Yes** **Yes** **Yes** **Yes** |
|
|
|
external entity expansion **Yes** No (1) No (2) **Yes** No (3) |
|
|
|
DTD retrieval **Yes** No No **Yes** No |
|
|
|
decompression bomb No No No No **Yes** |
|
|
|
========================= ======== ========= ========= ======== ========= |
|
|
|
|
|
|
|
1. :mod:`xml.etree.ElementTree` doesn't expand external entities and raises a |
|
|
|
|
Georg Brandl
13 years ago