Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #50694
| References | <CAPTjJmqAEUUrUxaFjAh8qGjBbNuhNp9Nz6RKQDbraOm0kCVJDg@mail.gmail.com> <595253102.8424684.1373892072113.JavaMail.root@sequans.com> <CAPTjJmoP0OHZP+GBjjZxVMwVT0eSXG1azK1NkZov_x4=1jq-xQ@mail.gmail.com> <51E4184F.3080607@arskom.com.tr> |
|---|---|
| Date | 2013-07-16 01:53 +1000 |
| Subject | Re: Python - remote object protocols and security |
| From | Chris Angelico <rosuav@gmail.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.4734.1373903610.3114.python-list@python.org> (permalink) |
On Tue, Jul 16, 2013 at 1:42 AM, Burak Arslan <burak.arslan@arskom.com.tr> wrote: > On 07/15/13 13:57, Chris Angelico wrote: >> But what I meant was that the [Json] protocol itself is designed with >> security restrictions in mind. It's designed not to fetch additional >> content from the network (as XML can), > > Can you explain how parsing XML can fetch data from the network? I haven't looked into the details, but there was one among a list of exploits that was being discussed a few months ago; it involved XML schemas, I think, and quite a few generic XML parsers could be tricked into fetching arbitrary documents. Whether this could be used for anything more serious than a document-viewed receipt or a denial of service (via latency) I don't know, but if nothing else, it's a vector that JSON simply doesn't have. ChrisA
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Python - remote object protocols and security Chris Angelico <rosuav@gmail.com> - 2013-07-16 01:53 +1000
csiph-web