@@ -54,37 +54,15 @@ An attacker can abuse XML features to carry out denial of service attacks,
5454access local files, generate network connections to other machines, or
5555circumvent firewalls.
5656
57- The following table gives an overview of the known attacks and whether
58- the various modules are vulnerable to them.
59-
60- ========================= ================== ================== ================== ================== ==================
61- kind sax etree minidom pulldom xmlrpc
62- ========================= ================== ================== ================== ================== ==================
63- billion laughs Safe (1) Safe (1) Safe (1) Safe (1) Safe (1)
64- quadratic blowup Safe (1) Safe (1) Safe (1) Safe (1) Safe (1)
65- external entity expansion Safe (5) Safe (2) Safe (3) Safe (5) Safe (4)
66- `DTD `_ retrieval Safe (5) Safe Safe Safe (5) Safe
67- decompression bomb Safe Safe Safe Safe **Vulnerable **
68- large tokens Safe (6) Safe (6) Safe (6) Safe (6) Safe (6)
69- ========================= ================== ================== ================== ================== ==================
70-
71- 1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
72- "quadratic blowup" vulnerabilities. Items still listed as vulnerable due to
73- potential reliance on system-provided libraries. Check
74- :const: `!pyexpat.EXPAT_VERSION `.
75- 2. :mod: `xml.etree.ElementTree ` doesn't expand external entities and raises a
76- :exc: `~xml.etree.ElementTree.ParseError ` when an entity occurs.
77- 3. :mod: `xml.dom.minidom ` doesn't expand external entities and simply returns
78- the unexpanded entity verbatim.
79- 4. :mod: `xmlrpc.client ` doesn't expand external entities and omits them.
80- 5. Since Python 3.7.1, external general entities are no longer processed by
81- default.
82- 6. Expat 2.6.0 and newer is not vulnerable to denial of service
83- through quadratic runtime caused by parsing large tokens.
84- Items still listed as vulnerable due to
85- potential reliance on system-provided libraries. Check
86- :const: `!pyexpat.EXPAT_VERSION `.
57+ Expat versions lower that 2.6.0 may be vulnerable to "billion laughs",
58+ "quadratic blowup" and "large tokens". Python may be vulnerable if it uses such
59+ older versions of Expat as a system-provided library, it may be vulnerable.
60+ Check :const: `!pyexpat.EXPAT_VERSION `.
8761
62+ xmlrpc is **vulnerable ** to "decompression bomb".
63+
64+ Since Python 3.7.1, external general entities are no longer processed by
65+ default.
8866
8967billion laughs / exponential entity expansion
9068 The `Billion Laughs `_ attack -- also known as exponential entity expansion --
@@ -100,16 +78,6 @@ quadratic blowup entity expansion
10078 efficient as the exponential case but it avoids triggering parser countermeasures
10179 that forbid deeply nested entities.
10280
103- external entity expansion
104- Entity declarations can contain more than just text for replacement. They can
105- also point to external resources or local files. The XML
106- parser accesses the resource and embeds the content into the XML document.
107-
108- `DTD `_ retrieval
109- Some XML libraries like Python's :mod: `xml.dom.pulldom ` retrieve document type
110- definitions from remote or local locations. The feature has similar
111- implications as the external entity expansion issue.
112-
11381decompression bomb
11482 Decompression bombs (aka `ZIP bomb `_) apply to all XML libraries
11583 that can parse compressed XML streams such as gzipped HTTP streams or
@@ -125,4 +93,3 @@ large tokens
12593
12694.. _Billion Laughs : https://en.wikipedia.org/wiki/Billion_laughs
12795.. _ZIP bomb : https://en.wikipedia.org/wiki/Zip_bomb
128- .. _DTD : https://en.wikipedia.org/wiki/Document_type_definition
0 commit comments