diff options
| author | Christian Heimes <christian@cheimes.de> | 2013-02-15 14:54:02 +0100 |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2013-02-15 14:54:02 +0100 |
| commit | ad9edc0e4f201595bb6337b7b1f8d0301e898440 (patch) | |
| tree | d2fd94b194a2551030678409c8261dc4a6b40ed4 | |
| parent | 83353c69d41fd34d1096b77a8db87efa78302eb9 (diff) | |
| download | defusedxml-ad9edc0e4f201595bb6337b7b1f8d0301e898440.tar.gz | |
other things list is pessimistic
| -rw-r--r-- | README.txt | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -339,13 +339,15 @@ Other things to consider ======================== XML, XML parsers and processing libraries have more features and possible -issue that can lead to DoS vulnerabilities or security exploits in +issue that could lead to DoS vulnerabilities or security exploits in applications. I have compiled an incomplete list of possible issues that -need further research and more attention. +need further research and more attention. The list is deliberately pessimistic +and a bit paranoid, too. It contains things that might go wrong under daffy +circumstances. -attribute blowup ----------------- +attribute blowup / hash collision attack +---------------------------------------- XML parsers may use an algorithm with quadratic runtime O(n :sup:`2`) to handle attributes and namespaces. If it uses hash tables (dictionaries) to |