Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #50694
| Path | csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder2.enfer-du-nord.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.005 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; '16,': 0.03; 'subject:Python': 0.06; 'json': 0.07; 'think,': 0.07; 'parsers': 0.09; 'parsing': 0.09; '(via': 0.16; 'burak': 0.16; 'exploits': 0.16; 'fetch': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'subject:object': 0.16; 'subject:security': 0.16; 'wrote:': 0.18; 'looked': 0.18; 'else,': 0.19; 'restrictions': 0.19; 'meant': 0.20; 'mind.': 0.24; "haven't": 0.24; 'header:In- Reply-To:1': 0.27; 'chris': 0.29; 'am,': 0.29; 'xml': 0.29; "doesn't": 0.30; 'message-id:@mail.gmail.com': 0.30; 'quite': 0.32; 'could': 0.34; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'list': 0.37; 'being': 0.38; 'generic': 0.38; 'to:addr:python-list': 0.38; 'anything': 0.39; 'explain': 0.39; 'itself': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'simply': 0.61; 'more': 0.64; 'details,': 0.68; 'jul': 0.74; 'have.': 0.93; 'serious': 0.97; '2013': 0.98 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=gMXpH7A6gYptbw7WECO6LdEuyAf+Z9tMbXW5Z6S6blc=; b=iHA9IAg4Xg66wNkRFkQSkZl+8cezZSA0PQ+V1GdrlEywA+iS+IX1CD9Ezqo7AdDIPF buQmsu2ic/ihH2SRzb8KeJn2EX800378ESkDIdi1KEu4gRbiBGieMMVlNBEa8ud22hLI UvU5BHaZ0WB4um7qqMQhifoSKIOXCB90khaD1Pgzj7X/qEvi093Y/R5BsXpidRVvpksE ygSd3jigzpRYToFo459Zokmw5m2FkOs3+t3VIeSC5x3+KP9f31wgKPfGJO7lDvyn14Qp 7pPmuOl0TOVI5yP7obcY6WgvxzjsEDXmYqEPfw1pQuP2zKpJ/81a6ROIUAyJK2WNej3X 8img== |
| MIME-Version | 1.0 |
| X-Received | by 10.58.187.4 with SMTP id fo4mr28709720vec.55.1373903601731; Mon, 15 Jul 2013 08:53:21 -0700 (PDT) |
| In-Reply-To | <51E4184F.3080607@arskom.com.tr> |
| References | <CAPTjJmqAEUUrUxaFjAh8qGjBbNuhNp9Nz6RKQDbraOm0kCVJDg@mail.gmail.com> <595253102.8424684.1373892072113.JavaMail.root@sequans.com> <CAPTjJmoP0OHZP+GBjjZxVMwVT0eSXG1azK1NkZov_x4=1jq-xQ@mail.gmail.com> <51E4184F.3080607@arskom.com.tr> |
| Date | Tue, 16 Jul 2013 01:53:21 +1000 |
| Subject | Re: Python - remote object protocols and security |
| From | Chris Angelico <rosuav@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=ISO-8859-1 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.4734.1373903610.3114.python-list@python.org> (permalink) |
| Lines | 18 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1373903610 news.xs4all.nl 15908 [2001:888:2000:d::a6]:58330 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:50694 |
Show key headers only | View raw
On Tue, Jul 16, 2013 at 1:42 AM, Burak Arslan <burak.arslan@arskom.com.tr> wrote: > On 07/15/13 13:57, Chris Angelico wrote: >> But what I meant was that the [Json] protocol itself is designed with >> security restrictions in mind. It's designed not to fetch additional >> content from the network (as XML can), > > Can you explain how parsing XML can fetch data from the network? I haven't looked into the details, but there was one among a list of exploits that was being discussed a few months ago; it involved XML schemas, I think, and quite a few generic XML parsers could be tricked into fetching arbitrary documents. Whether this could be used for anything more serious than a document-viewed receipt or a denial of service (via latency) I don't know, but if nothing else, it's a vector that JSON simply doesn't have. ChrisA
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Python - remote object protocols and security Chris Angelico <rosuav@gmail.com> - 2013-07-16 01:53 +1000
csiph-web