diff options
author | Christian Heimes <christian@python.org> | 2013-02-15 01:04:02 +0100 |
---|---|---|
committer | Christian Heimes <christian@python.org> | 2013-02-15 01:04:02 +0100 |
commit | f995ba15ee9d3541109502eb69db4a48f24c4640 (patch) | |
tree | d695cb6ef92471ebf050fe0891ff9ff745823e27 | |
parent | d9d3b029413bf149e69374829882afa3f1c78821 (diff) | |
download | defusedxml-git-f995ba15ee9d3541109502eb69db4a48f24c4640.tar.gz |
more thanks and explain others
-rw-r--r-- | README.txt | 14 |
1 files changed, 13 insertions, 1 deletions
@@ -425,6 +425,8 @@ XSL Transformation You should keep in mind that XSLT is a Turing complete language. Never process XSLT code from unknown or untrusted source! XSLT processors may allow you to interact with external resources in ways you can't even imagine. +Some processors even support extensions that allow read/write access to file +system, access to JRE objects or scripting with Jython. Example from `Attacking XML Security`_ for Xalan-J:: @@ -446,11 +448,16 @@ Example from `Attacking XML Security`_ for Xalan-J:: Other languages / frameworks ============================= +Several other programming languages and frameworks are vulnerable as well. A +couple of them are affected by the fact that libxml2 up to 2.9.0 has no +protection against quadratic blowup attacks. Most of them have potential +dangerous default settings for entity expansion and external entities, too. + Perl ---- Perl's XML::Simple is vulnerable to quadratic entity expansion and external -entity expansion (both local and remote) +entity expansion (both local and remote). Ruby @@ -526,10 +533,15 @@ Aaron Patterson, Ben Murphy and Michael Koziarski (Ruby community) report and assistance. Thierry Carrez (OpenStack) + Many thanks to Thierry for his report to the Python Security Response + Team on behalf of the OpenStack security team. Carl Meyer (Django) + Many thanks to Carl for his report to PSRT on behalf of the Django security + team. Daniel Veillard (libxml2) + Many thanks to Daniel for his insight and assistance with libxml2. semantics GmbH (http://www.semantics.de/) Many thanks to my employer semantics for letting me work on the issue |