diff options
| author | Christian Heimes <christian@python.org> | 2013-02-15 14:54:02 +0100 |
|---|---|---|
| committer | Christian Heimes <christian@python.org> | 2013-02-15 14:54:02 +0100 |
| commit | 573e0c16ed72421504897d7fabffd18c763d9851 (patch) | |
| tree | d2fd94b194a2551030678409c8261dc4a6b40ed4 | |
| parent | 5b1a08422a69ed98b893a3d1bac0342af9646a15 (diff) | |
| download | defusedxml-git-573e0c16ed72421504897d7fabffd18c763d9851.tar.gz | |
other things list is pessimistic
| -rw-r--r-- | README.txt | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -339,13 +339,15 @@ Other things to consider ======================== XML, XML parsers and processing libraries have more features and possible -issue that can lead to DoS vulnerabilities or security exploits in +issue that could lead to DoS vulnerabilities or security exploits in applications. I have compiled an incomplete list of possible issues that -need further research and more attention. +need further research and more attention. The list is deliberately pessimistic +and a bit paranoid, too. It contains things that might go wrong under daffy +circumstances. -attribute blowup ----------------- +attribute blowup / hash collision attack +---------------------------------------- XML parsers may use an algorithm with quadratic runtime O(n :sup:`2`) to handle attributes and namespaces. If it uses hash tables (dictionaries) to |