Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #50699
| Path | csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <burak.arslan@arskom.com.tr> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.002 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'schema': 0.05; 'subject:Python': 0.06; '"""': 0.07; 'json': 0.07; 'think,': 0.07; 'feature.': 0.09; 'parsers': 0.09; 'parsing': 0.09; 'references.': 0.09; 'report,': 0.09; 'missed': 0.12; '(via': 0.16; 'burak': 0.16; 'exploits': 0.16; 'fetch': 0.16; 'from:addr:arskom.com.tr': 0.16; 'from:addr:burak.arslan': 0.16; 'from:name:burak arslan': 0.16; 'message-id:@arskom.com.tr': 0.16; 'received:arskomhosting.com': 0.16; 'semantics': 0.16; 'subject:object': 0.16; 'subject:security': 0.16; 'well-known': 0.16; 'wrote:': 0.18; 'looked': 0.18; 'else,': 0.19; 'seems': 0.21; 'header:User-Agent:1': 0.23; "haven't": 0.24; 'header:In- Reply-To:1': 0.27; 'chris': 0.29; 'external': 0.29; 'xml': 0.29; "doesn't": 0.30; "i'm": 0.30; 'operations.': 0.31; 'quite': 0.32; 'used,': 0.33; 'could': 0.34; 'but': 0.35; 'there': 0.35; 'similar': 0.36; 'url:org': 0.36; 'should': 0.36; 'two': 0.37; 'list': 0.37; 'being': 0.38; 'generic': 0.38; 'to:addr:python- list': 0.38; 'anything': 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'documents,': 0.60; 'simply': 0.61; "you're": 0.61; 'provide': 0.64; 'more': 0.64; 'different': 0.65; 'details,': 0.68; 'presented': 0.69; 'applying': 0.72; 'canonical': 0.91; 'url:latest': 0.91; 'have.': 0.93; 'yourself,': 0.95; 'serious': 0.97 |
| Date | Mon, 15 Jul 2013 17:31:33 +0100 |
| From | Burak Arslan <burak.arslan@arskom.com.tr> |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130711 Thunderbird/17.0.7 |
| MIME-Version | 1.0 |
| To | python-list@python.org |
| Subject | Re: Python - remote object protocols and security |
| References | <CAPTjJmqAEUUrUxaFjAh8qGjBbNuhNp9Nz6RKQDbraOm0kCVJDg@mail.gmail.com> <595253102.8424684.1373892072113.JavaMail.root@sequans.com> <CAPTjJmoP0OHZP+GBjjZxVMwVT0eSXG1azK1NkZov_x4=1jq-xQ@mail.gmail.com> <51E4184F.3080607@arskom.com.tr> <CAPTjJmrCFtjhKaO_SBzGWsGKt-NyXmVaZ__Bj7dF1b0FDcuJuw@mail.gmail.com> |
| In-Reply-To | <CAPTjJmrCFtjhKaO_SBzGWsGKt-NyXmVaZ__Bj7dF1b0FDcuJuw@mail.gmail.com> |
| Content-Type | text/plain; charset=ISO-8859-1 |
| Content-Transfer-Encoding | 7bit |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.4739.1373905875.3114.python-list@python.org> (permalink) |
| Lines | 35 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1373905875 news.xs4all.nl 15974 [2001:888:2000:d::a6]:49659 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:50699 |
Show key headers only | View raw
On 07/15/13 16:53, Chris Angelico wrote: > I haven't looked into the details, but there was one among a list of > exploits that was being discussed a few months ago; it involved XML > schemas, I think, and quite a few generic XML parsers could be tricked > into fetching arbitrary documents. Whether this could be used for > anything more serious than a document-viewed receipt or a denial of > service (via latency) I don't know, but if nothing else, it's a vector > that JSON simply doesn't have. ChrisA I must have missed that exploit report, can you provide a link? Parsing arbitrary xml documents and parsing xml schema documents and applying xml schema semantics to these documents are two very different operations. Xml schemas are not "tricked" into fetching arbitrary documents, xs:include and xs:import fetch external documents, it's a well-known feature. If you don't want this, you should ship all of the schema documents together and generate the schemas in a way to not include any external references. So I'm surprised this was presented as a security exploit. Json schemas also have similar functionality: http://json-schema.org/latest/json-schema-core.html#anchor30 """ if canonical dereferencing is used, the implementation will dereference this URI, and fetch the content at this URI; """ So I don't understand how you're so sure of yourself, but to me, it seems like Json schemas have the same attack vectors. Best regards, Burak
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Python - remote object protocols and security Burak Arslan <burak.arslan@arskom.com.tr> - 2013-07-15 17:31 +0100
csiph-web