diff options
author | Jon Dufresne <jon.dufresne@gmail.com> | 2018-04-04 21:39:54 -0700 |
---|---|---|
committer | Christian Heimes <christian@python.org> | 2019-04-14 11:43:38 +0200 |
commit | a320fbc6cd9c27fbeed98e358814c112d22815ed (patch) | |
tree | 3ee188bdfc49242e412ca7193c7f8d16bcd9b0d3 | |
parent | f2c7c35b25f80c08923be49ac1f81e9cf95bd2ae (diff) | |
download | defusedxml-git-a320fbc6cd9c27fbeed98e358814c112d22815ed.tar.gz |
Use https:// URLs where available
-rw-r--r-- | README.md | 26 | ||||
-rw-r--r-- | README.txt | 18 | ||||
-rw-r--r-- | defusedxml/ElementTree.py | 2 | ||||
-rw-r--r-- | defusedxml/__init__.py | 2 | ||||
-rw-r--r-- | defusedxml/cElementTree.py | 2 | ||||
-rw-r--r-- | defusedxml/common.py | 2 | ||||
-rw-r--r-- | defusedxml/expatbuilder.py | 2 | ||||
-rw-r--r-- | defusedxml/expatreader.py | 2 | ||||
-rw-r--r-- | defusedxml/lxml.py | 2 | ||||
-rw-r--r-- | defusedxml/minidom.py | 2 | ||||
-rw-r--r-- | defusedxml/pulldom.py | 2 | ||||
-rw-r--r-- | defusedxml/sax.py | 2 | ||||
-rw-r--r-- | defusedxml/xmlrpc.py | 2 |
13 files changed, 33 insertions, 33 deletions
@@ -38,7 +38,7 @@ Attack vectors ### billion laughs / exponential entity expansion -The [Billion Laughs](http://en.wikipedia.org/wiki/Billion_laughs) attack +The [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs) attack -- also known as exponential entity expansion --uses multiple levels of nested entities. The original example uses 9 levels of 10 expansions in each level to expand the string `lol` to a string of 3 \* 10 ^9^ bytes, @@ -64,7 +64,7 @@ Example XML: ### quadratic blowup entity expansion A quadratic blowup attack is similar to a [Billion -Laughs](http://en.wikipedia.org/wiki/Billion_laughs) attack; it abuses +Laughs](https://en.wikipedia.org/wiki/Billion_laughs) attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering @@ -450,7 +450,7 @@ I haven't researched yet if expat, pyexpat or libxml2 are vulnerable. ### decompression bomb The issue of decompression bombs (aka [ZIP -bomb](http://en.wikipedia.org/wiki/Zip_bomb)) apply to all XML libraries +bomb](https://en.wikipedia.org/wiki/Zip_bomb)) apply to all XML libraries that can parse compressed XML stream like gzipped HTTP streams or LZMA-ed files. For an attacker it can reduce the amount of transmitted data by three magnitudes or more. Gzip is able to compress 1 GiB zeros @@ -464,7 +464,7 @@ to roughly 1 MB, lzma is even better: None of Python's standard XML libraries decompress streams except for `xmlrpclib`. The module is vulnerable -<<http://bugs.python.org/issue16043>> to decompression bombs. +<<https://bugs.python.org/issue16043>> to decompression bombs. lxml can load and process compressed data through libxml2 transparently. libxml2 can handle even very large blobs of compressed data efficiently @@ -484,7 +484,7 @@ with network or local file access apply to processing instructions, too. ### Other DTD features -[DTD](http://en.wikipedia.org/wiki/Document_Type_Definition) has more +[DTD](https://en.wikipedia.org/wiki/Document_Type_Definition) has more features like `<!NOTATION>`. I haven't researched how these features may be a security threat. @@ -516,7 +516,7 @@ use its xpath() method correctly: ### XInclude -[XML Inclusion](http://www.w3.org/TR/xinclude/#include_element) is +[XML Inclusion](https://www.w3.org/TR/xinclude/#include_element) is another way to load and include external files: <root xmlns:xi="http://www.w3.org/2001/XInclude"> @@ -613,7 +613,7 @@ disables network access but still allows local file access. ### C\# / .NET / Mono Information in [XML DoS and Defenses -(MSDN)](http://msdn.microsoft.com/en-us/magazine/ee335713.aspx) suggest +(MSDN)](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx) suggest that .NET is vulnerable with its default settings. The article contains code snippets how to create a secure XML reader: @@ -626,7 +626,7 @@ code snippets how to create a secure XML reader: ### Java Untested. The documentation of Xerces and its [Xerces -SecurityMananger](http://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html) +SecurityMananger](https://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html) sounds like Xerces is also vulnerable to billion laugh attacks with its default settings. It also does entity resolving when an `org.xml.sax.EntityResolver` is configured. I'm not yet sure about the @@ -663,7 +663,7 @@ Copyright (c) 2013-2017 by Christian Heimes Licensed to PSF under a Contributor Agreement. -See <http://www.python.org/psf/license> for licensing details. +See <https://www.python.org/psf/license> for licensing details. Acknowledgements ---------------- @@ -695,7 +695,7 @@ Daniel Veillard (libxml2) : Many thanks to Daniel for his insight and assistance with libxml2. -semantics GmbH (<http://www.semantics.de/>) +semantics GmbH (<https://www.semantics.de/>) : Many thanks to my employer semantics for letting me work on the issue during working hours as part of semantics's open @@ -705,10 +705,10 @@ References ---------- - [XML DoS and - Defenses (MSDN)](http://msdn.microsoft.com/en-us/magazine/ee335713.aspx) -- [Billion Laughs](http://en.wikipedia.org/wiki/Billion_laughs) on + Defenses (MSDN)](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx) +- [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs) on Wikipedia -- [ZIP bomb](http://en.wikipedia.org/wiki/Zip_bomb) on Wikipedia +- [ZIP bomb](https://en.wikipedia.org/wiki/Zip_bomb) on Wikipedia - [Configure SAX parsers for secure processing](http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html) - [Testing for XML @@ -503,7 +503,7 @@ lzma is even better:: 148K zeros.xy None of Python's standard XML libraries decompress streams except for -``xmlrpclib``. The module is vulnerable <http://bugs.python.org/issue16043> +``xmlrpclib``. The module is vulnerable <https://bugs.python.org/issue16043> to decompression bombs. lxml can load and process compressed data through libxml2 transparently. @@ -716,7 +716,7 @@ Copyright (c) 2013-2017 by Christian Heimes <christian@python.org> Licensed to PSF under a Contributor Agreement. -See http://www.python.org/psf/license for licensing details. +See https://www.python.org/psf/license for licensing details. Acknowledgements @@ -743,7 +743,7 @@ Carl Meyer (Django) Daniel Veillard (libxml2) Many thanks to Daniel for his insight and assistance with libxml2. -semantics GmbH (http://www.semantics.de/) +semantics GmbH (https://www.semantics.de/) Many thanks to my employer semantics for letting me work on the issue during working hours as part of semantics's open source initiative. @@ -764,13 +764,13 @@ References .. _modified expat: https://bitbucket.org/tiran/expat .. _expat parser: http://expat.sourceforge.net/ .. _Attacking XML Security: https://www.isecpartners.com/media/12976/iSEC-HILL-Attacking-XML-Security-bh07.pdf -.. _Billion Laughs: http://en.wikipedia.org/wiki/Billion_laughs -.. _XML DoS and Defenses (MSDN): http://msdn.microsoft.com/en-us/magazine/ee335713.aspx -.. _ZIP bomb: http://en.wikipedia.org/wiki/Zip_bomb -.. _DTD: http://en.wikipedia.org/wiki/Document_Type_Definition +.. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs +.. _XML DoS and Defenses (MSDN): https://msdn.microsoft.com/en-us/magazine/ee335713.aspx +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb +.. _DTD: https://en.wikipedia.org/wiki/Document_Type_Definition .. _PI: https://en.wikipedia.org/wiki/Processing_Instruction .. _Avoid the dangers of XPath injection: http://www.ibm.com/developerworks/xml/library/x-xpathinjection/index.html .. _Configure SAX parsers for secure processing: http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html .. _Testing for XML Injection: https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) -.. _Xerces SecurityMananger: http://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html -.. _XML Inclusion: http://www.w3.org/TR/xinclude/#include_element +.. _Xerces SecurityMananger: https://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html +.. _XML Inclusion: https://www.w3.org/TR/xinclude/#include_element diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py index 41b2ea8..5d5cdf5 100644 --- a/defusedxml/ElementTree.py +++ b/defusedxml/ElementTree.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.etree.ElementTree facade """ from __future__ import print_function, absolute_import diff --git a/defusedxml/__init__.py b/defusedxml/__init__.py index 590a5a9..5743ae3 100644 --- a/defusedxml/__init__.py +++ b/defusedxml/__init__.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defuse XML bomb denial of service vulnerabilities """ from __future__ import print_function, absolute_import diff --git a/defusedxml/cElementTree.py b/defusedxml/cElementTree.py index cc13689..0c1baf8 100644 --- a/defusedxml/cElementTree.py +++ b/defusedxml/cElementTree.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.etree.cElementTree """ from __future__ import absolute_import diff --git a/defusedxml/common.py b/defusedxml/common.py index 668b609..be23e97 100644 --- a/defusedxml/common.py +++ b/defusedxml/common.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Common constants, exceptions and helpe functions """ import sys diff --git a/defusedxml/expatbuilder.py b/defusedxml/expatbuilder.py index 0eb6b91..ffe4f7d 100644 --- a/defusedxml/expatbuilder.py +++ b/defusedxml/expatbuilder.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.dom.expatbuilder """ from __future__ import print_function, absolute_import diff --git a/defusedxml/expatreader.py b/defusedxml/expatreader.py index ef6bc39..f2ec286 100644 --- a/defusedxml/expatreader.py +++ b/defusedxml/expatreader.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.sax.expatreader """ from __future__ import print_function, absolute_import diff --git a/defusedxml/lxml.py b/defusedxml/lxml.py index 7f3ee0b..3468824 100644 --- a/defusedxml/lxml.py +++ b/defusedxml/lxml.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Example code for lxml.etree protection The code has NO protection against decompression bombs. diff --git a/defusedxml/minidom.py b/defusedxml/minidom.py index 0fd8684..eea895c 100644 --- a/defusedxml/minidom.py +++ b/defusedxml/minidom.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.dom.minidom """ from __future__ import print_function, absolute_import diff --git a/defusedxml/pulldom.py b/defusedxml/pulldom.py index fc9e466..e2c846a 100644 --- a/defusedxml/pulldom.py +++ b/defusedxml/pulldom.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.dom.pulldom """ from __future__ import print_function, absolute_import diff --git a/defusedxml/sax.py b/defusedxml/sax.py index 534d0ca..77aebc5 100644 --- a/defusedxml/sax.py +++ b/defusedxml/sax.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xml.sax """ from __future__ import print_function, absolute_import diff --git a/defusedxml/xmlrpc.py b/defusedxml/xmlrpc.py index 2a456e6..5572c6b 100644 --- a/defusedxml/xmlrpc.py +++ b/defusedxml/xmlrpc.py @@ -2,7 +2,7 @@ # # Copyright (c) 2013 by Christian Heimes <christian@python.org> # Licensed to PSF under a Contributor Agreement. -# See http://www.python.org/psf/license for licensing details. +# See https://www.python.org/psf/license for licensing details. """Defused xmlrpclib Also defuses gzip bomb |