python-defusedxml
Subpackage Descriptions
| single |
===================================================
defusedxml -- defusing XML bombs and other exploits
===================================================
:alt: Latest Version
:alt: Supported Python versions
:alt: Travis CI
:alt: codecov
:alt: PyPI downloads
:alt: Code style: black
..
"It's just XML, what could probably go wrong?"
Christian Heimes
Synopsis
========
The results of an attack on a vulnerable XML library can be fairly
dramatic.
With just a few hundred **Bytes** of XML data an attacker can occupy
several
**Gigabytes** of memory within **seconds**. An attacker can also keep
CPUs busy for a long time with a small to medium size request. Under some
circumstances it is even possible to access local files on your
server, to circumvent a firewall, or to abuse services to rebound attacks
to
third parties.
The attacks use and abuse less common features of XML and its parsers. The
majority of developers are unacquainted with features such as processing
instructions and entity expansions that XML inherited from SGML. At best
they know about ```` from experience with HTML but they are not
aware that a document type definition (DTD) can generate an HTTP request
or load a file from the file system.
None of the issues is new. They have been known for a long time. Billion
laughs was first reported in 2003. Nevertheless some XML libraries and
applications are still vulnerable and even heavy users of XML are
surprised by these features. It's hard to say whom to blame for the
situation. It's too short sighted to shift all blame on XML parsers and
XML libraries for using insecure default settings. After all they
properly implement XML specifications. Application developers must not rely
that a library is always configured for security and potential harmful data
by default.
.. contents:: Table of Contents
:depth: 2
Attack vectors
==============
billion laughs / exponential entity expansion
---------------------------------------------
The `Billion Laughs`_ attack -- also known as exponential entity expansion
--
uses multiple levels of nested entities. The original example uses 9 levels
of 10 expansions in each level to expand the string lol to a string of
3 * 10 :sup:`9` bytes, hence the name "billion laughs". The resulting
string
occupies 3 GB (2.79 GiB) of memory; intermediate strings require additional
memory. Because most parsers don't cache the intermediate step for every
expansion it is repeated over and over again. It increases the CPU load
even
more.
An XML document of just a few hundred bytes can disrupt all services on a
machine within seconds.
Example XML::
]>
&d;
quadratic blowup entity expansion
---------------------------------
A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it
abuses
entity expansion, too. Instead of nested entities it repeats one large
entity
with a couple of thousand chars over and over again. The attack isn't as
efficient as the exponential case but it avoids triggering countermeasures
of
parsers against heavily nested entities. Some parsers limit the depth and
breadth of a single entity but not the total amount of expanded text
throughout an entire XML document.
|
Configuration Switches (platform-specific settings discarded)
PY312 ON Build using Python 3.12
PY313 OFF Build using Python 3.13
Package Dependencies by Type
Download groups
| main |
mirror://PYPIWHL/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4 |
Distribution File Information
a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 25604 python-src/defusedxml-0.7.1-py2.py3-none-any.whl
Ports that require python-defusedxml:v12